darkfi_sdk/crypto/
note.rs1use std::io::Cursor;
20
21use chacha20poly1305::{AeadInPlace, ChaCha20Poly1305, KeyInit};
22use darkfi_serial::{Decodable, Encodable, SerialDecodable, SerialEncodable};
23use pasta_curves::{group::ff::Field, pallas};
24use rand_core::{CryptoRng, RngCore};
25
26#[cfg(feature = "async")]
27use darkfi_serial::async_trait;
28
29use super::{diffie_hellman, poseidon_hash, util::fp_mod_fv, PublicKey, SecretKey};
30use crate::error::ContractError;
31
32pub const AEAD_TAG_SIZE: usize = 16;
34
35#[derive(Debug, Clone, PartialEq, Eq, SerialEncodable, SerialDecodable)]
37pub struct AeadEncryptedNote {
38 pub ciphertext: Vec<u8>,
39 pub ephem_public: PublicKey,
40}
41
42impl AeadEncryptedNote {
43 pub fn encrypt(
44 note: &impl Encodable,
45 public: &PublicKey,
46 rng: &mut (impl CryptoRng + RngCore),
47 ) -> Result<Self, ContractError> {
48 let ephem_secret = SecretKey::random(rng);
49 let ephem_public = PublicKey::from_secret(ephem_secret);
50 let shared_secret = diffie_hellman::sapling_ka_agree(&ephem_secret, public)?;
51 let key = diffie_hellman::kdf_sapling(&shared_secret, &ephem_public);
52
53 let mut input = Vec::new();
54 note.encode(&mut input)?;
55 let input_len = input.len();
56
57 let mut ciphertext = vec![0_u8; input_len + AEAD_TAG_SIZE];
58 ciphertext[..input_len].copy_from_slice(&input);
59
60 ChaCha20Poly1305::new(key.as_ref().into())
61 .encrypt_in_place([0u8; 12][..].into(), &[], &mut ciphertext)
62 .unwrap();
63
64 Ok(Self { ciphertext, ephem_public })
65 }
66
67 pub fn decrypt<D: Decodable>(&self, secret: &SecretKey) -> Result<D, ContractError> {
68 let shared_secret = diffie_hellman::sapling_ka_agree(secret, &self.ephem_public)?;
69 let key = diffie_hellman::kdf_sapling(&shared_secret, &self.ephem_public);
70
71 let ct_len = self.ciphertext.len();
72 let mut plaintext = vec![0_u8; ct_len];
73 plaintext.copy_from_slice(&self.ciphertext);
74
75 match ChaCha20Poly1305::new(key.as_ref().into()).decrypt_in_place(
76 [0u8; 12][..].into(),
77 &[],
78 &mut plaintext,
79 ) {
80 Ok(()) => {
81 let mut cursor = Cursor::new(&plaintext[..ct_len - AEAD_TAG_SIZE]);
82 Ok(D::decode(&mut cursor)?)
83 }
84 Err(e) => Err(ContractError::IoError(format!("Note decrypt failed: {e}"))),
85 }
86 }
87}
88
89#[derive(Debug, Copy, Clone, PartialEq, Eq, SerialEncodable, SerialDecodable)]
95pub struct ElGamalEncryptedNote<const N: usize> {
96 pub encrypted_values: [pallas::Base; N],
98 pub ephem_public: PublicKey,
100}
101
102impl<const N: usize> ElGamalEncryptedNote<N> {
103 pub fn encrypt_unsafe(
109 values: [pallas::Base; N],
110 ephem_secret: &SecretKey,
111 public: &PublicKey,
112 ) -> Result<Self, ContractError> {
113 let ephem_public = PublicKey::from_secret(*ephem_secret);
115 let (ss_x, ss_y) =
116 PublicKey::try_from(public.inner() * fp_mod_fv(ephem_secret.inner()))?.xy();
117 let shared_secret = poseidon_hash([ss_x, ss_y]);
118
119 let mut blinds = [pallas::Base::ZERO; N];
121 for (i, item) in blinds.iter_mut().enumerate().take(N) {
122 *item = poseidon_hash([shared_secret, pallas::Base::from(i as u64 + 1)]);
123 }
124
125 let mut encrypted_values = [pallas::Base::ZERO; N];
127 for i in 0..N {
128 encrypted_values[i] = values[i] + blinds[i];
129 }
130
131 Ok(Self { encrypted_values, ephem_public })
132 }
133
134 pub fn decrypt_unsafe(&self, secret: &SecretKey) -> Result<[pallas::Base; N], ContractError> {
141 let (ss_x, ss_y) =
143 PublicKey::try_from(self.ephem_public.inner() * fp_mod_fv(secret.inner()))?.xy();
144 let shared_secret = poseidon_hash([ss_x, ss_y]);
145
146 let mut blinds = [pallas::Base::ZERO; N];
147 for (i, item) in blinds.iter_mut().enumerate().take(N) {
148 *item = poseidon_hash([shared_secret, pallas::Base::from(i as u64 + 1)]);
149 }
150
151 let mut decrypted_values = [pallas::Base::ZERO; N];
152 for i in 0..N {
153 decrypted_values[i] = self.encrypted_values[i] - blinds[i];
154 }
155
156 Ok(decrypted_values)
157 }
158}
159
160#[cfg(test)]
161mod tests {
162 use super::*;
163 use crate::crypto::Keypair;
164
165 use rand::rngs::OsRng;
166
167 #[test]
168 fn test_aead_note() {
169 let plaintext = "gm world";
170 let keypair = Keypair::random(&mut OsRng);
171
172 let encrypted_note =
173 AeadEncryptedNote::encrypt(&plaintext, &keypair.public, &mut OsRng).unwrap();
174
175 let plaintext2: String = encrypted_note.decrypt(&keypair.secret).unwrap();
176
177 assert_eq!(plaintext, plaintext2);
178 }
179
180 #[test]
181 fn test_elgamal_note() {
182 const N_MSGS: usize = 10;
183
184 let plain_values = [pallas::Base::random(&mut OsRng); N_MSGS];
185 let keypair = Keypair::random(&mut OsRng);
186 let ephem_secret = SecretKey::random(&mut OsRng);
187
188 let encrypted_note =
189 ElGamalEncryptedNote::encrypt_unsafe(plain_values, &ephem_secret, &keypair.public)
190 .unwrap();
191
192 let decrypted_values = encrypted_note.decrypt_unsafe(&keypair.secret).unwrap();
193
194 assert_eq!(plain_values, decrypted_values);
195 }
196}