hopr_crypto_sphinx/

ec_groups.rs

use hopr_types::crypto::errors::Result;
#[cfg(feature = "secp256k1")]
use {
    elliptic_curve::{
        Group,
        ops::MulByGenerator,
        sec1::{FromEncodedPoint, ToEncodedPoint},
    },
    hopr_types::crypto::prelude::CryptoError,
    k256::{AffinePoint, EncodedPoint},
};

use crate::shared_keys::{Alpha, GroupElement, Scalar, SphinxSuite};

#[cfg(any(feature = "x25519", feature = "ed25519"))]
impl Scalar for curve25519_dalek::scalar::Scalar {
    fn random() -> Self {
        let bytes = hopr_types::crypto_random::random_bytes::<32>();
        Self::from_bytes(&bytes).unwrap()
    }

    fn from_bytes(bytes: &[u8]) -> Result<Self> {
        hopr_types::crypto::utils::x25519_scalar_from_bytes(bytes)
    }
}

#[cfg(feature = "secp256k1")]
impl Scalar for k256::Scalar {
    fn random() -> Self {
        // Beware, this is not constant-time
        let mut rng = hopr_types::crypto_random::rng();
        let mut bytes = k256::FieldBytes::default();
        use elliptic_curve::PrimeField;
        use hopr_types::crypto_random::Rng;
        // Needs manual implementation due to incompatible rand crates
        // k256::Scalar::generate_vartime(&mut hopr_types::crypto_random::rng())

        loop {
            rng.fill_bytes(&mut bytes);
            if let Some(scalar) = k256::Scalar::from_repr(bytes).into() {
                return scalar;
            }
        }
    }

    fn from_bytes(bytes: &[u8]) -> Result<Self> {
        hopr_types::crypto::utils::k256_scalar_from_bytes(bytes)
    }
}

#[cfg(feature = "x25519")]
impl GroupElement<curve25519_dalek::scalar::Scalar> for curve25519_dalek::MontgomeryPoint {
    type AlphaLen = typenum::U32;

    fn to_alpha(&self) -> Alpha<typenum::U32> {
        self.0.into()
    }

    fn from_alpha(alpha: Alpha<typenum::U32>) -> Result<Self> {
        Ok(curve25519_dalek::MontgomeryPoint(alpha.into()))
    }

    fn generate(scalar: &curve25519_dalek::scalar::Scalar) -> Self {
        curve25519_dalek::EdwardsPoint::mul_base(scalar).to_montgomery()
    }

    fn is_valid(&self) -> bool {
        use curve25519_dalek::traits::IsIdentity;
        !self.is_identity()
    }
}

#[cfg(feature = "ed25519")]
impl GroupElement<curve25519_dalek::scalar::Scalar> for curve25519_dalek::EdwardsPoint {
    type AlphaLen = typenum::U32;

    fn to_alpha(&self) -> Alpha<typenum::U32> {
        self.compress().0.into()
    }

    fn from_alpha(alpha: Alpha<typenum::U32>) -> Result<Self> {
        curve25519_dalek::edwards::CompressedEdwardsY(alpha.into())
            .decompress()
            .ok_or(hopr_types::crypto::errors::CryptoError::InvalidInputValue("alpha"))
    }

    fn generate(scalar: &curve25519_dalek::scalar::Scalar) -> Self {
        curve25519_dalek::EdwardsPoint::mul_base(scalar)
    }

    fn is_valid(&self) -> bool {
        // Ed25519 scalars always come clamped (pre-multiplied by the curve's co-factor)
        // and therefore cannot result into points of small order.
        // See `x25519_scalar_from_bytes` for more details.
        use curve25519_dalek::traits::IsIdentity;
        !self.is_identity()
    }
}

#[cfg(feature = "secp256k1")]
impl GroupElement<k256::Scalar> for k256::ProjectivePoint {
    type AlphaLen = typenum::U33;

    fn to_alpha(&self) -> Alpha<typenum::U33> {
        let mut ret = Alpha::<typenum::U33>::default();
        ret.copy_from_slice(self.to_affine().to_encoded_point(true).as_ref());
        ret
    }

    fn from_alpha(alpha: Alpha<typenum::U33>) -> Result<Self> {
        EncodedPoint::from_bytes(alpha)
            .map_err(|_| CryptoError::InvalidInputValue("alpha"))
            .and_then(|ep| {
                AffinePoint::from_encoded_point(&ep)
                    .into_option()
                    .ok_or(CryptoError::InvalidInputValue("alpha"))
            })
            .map(k256::ProjectivePoint::from)
    }

    fn generate(scalar: &k256::Scalar) -> Self {
        k256::ProjectivePoint::mul_by_generator(scalar)
    }

    fn is_valid(&self) -> bool {
        !bool::from(self.is_identity())
    }
}

// TODO: invert this, so that each SphinxSuite takes this as a type argument
/// Default packet block size for the Sphinx protocol.
///
/// Currently, 1038 bytes.
pub type DefaultSphinxPacketSize = typenum::Sum<typenum::U1024, typenum::U14>;

pub use typenum::Unsigned;

/// Represents an instantiation of the Sphinx protocol using secp256k1 elliptic curve and `ChainKeypair`
#[cfg(feature = "secp256k1")]
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
#[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
pub struct Secp256k1Suite;

#[cfg(feature = "secp256k1")]
impl SphinxSuite for Secp256k1Suite {
    type E = k256::Scalar;
    type G = k256::ProjectivePoint;
    type P = hopr_types::crypto::keypairs::ChainKeypair;
    type PRP = hopr_types::crypto::lioness::LionessBlake3ChaCha20<DefaultSphinxPacketSize>;
}

/// Represents an instantiation of the Sphinx protocol using the ed25519 curve and `OffchainKeypair`
#[cfg(feature = "ed25519")]
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
#[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
pub struct Ed25519Suite;

#[cfg(feature = "ed25519")]
impl SphinxSuite for Ed25519Suite {
    type E = curve25519_dalek::scalar::Scalar;
    type G = curve25519_dalek::edwards::EdwardsPoint;
    type P = hopr_types::crypto::keypairs::OffchainKeypair;
    type PRP = hopr_types::crypto::lioness::LionessBlake3ChaCha20<DefaultSphinxPacketSize>;
}

/// Represents an instantiation of the Sphinx protocol using the Curve25519 curve and `OffchainKeypair`
#[cfg(feature = "x25519")]
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
#[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
pub struct X25519Suite;

#[cfg(feature = "x25519")]
impl SphinxSuite for X25519Suite {
    type E = curve25519_dalek::scalar::Scalar;
    type G = curve25519_dalek::montgomery::MontgomeryPoint;
    type P = hopr_types::crypto::keypairs::OffchainKeypair;
    type PRP = hopr_types::crypto::lioness::LionessBlake3ChaCha20<DefaultSphinxPacketSize>;
}

#[cfg(test)]
mod tests {
    use parameterized::parameterized;

    use crate::shared_keys::tests::generic_sphinx_suite_test;

    #[cfg(feature = "secp256k1")]
    #[test]
    fn test_extract_key_from_group_element() {
        use crate::shared_keys::GroupElement;

        let salt = [0xde, 0xad, 0xbe, 0xef];
        let pt = k256::ProjectivePoint::GENERATOR;

        let key = pt.extract_key("test", &salt);
        assert_eq!(
            "08112a22609819a4c698d6c92f404628ca925f3d731d53594126ffdf19ef6fa9",
            hex::encode(key)
        );
    }

    #[cfg(feature = "secp256k1")]
    #[test]
    fn test_expand_key_from_group_element() {
        use crate::shared_keys::GroupElement;

        let salt = [0xde, 0xad, 0xbe, 0xef];
        let pt = k256::ProjectivePoint::GENERATOR;

        let key = pt.extract_key("test", &salt);

        assert_eq!(
            "08112a22609819a4c698d6c92f404628ca925f3d731d53594126ffdf19ef6fa9",
            hex::encode(key)
        );
    }

    #[cfg(feature = "secp256k1")]
    #[parameterized(nodes = {4, 3, 2, 1})]
    fn test_secp256k1_suite(nodes: usize) {
        generic_sphinx_suite_test::<crate::ec_groups::Secp256k1Suite>(nodes)
    }

    #[cfg(feature = "ed25519")]
    #[parameterized(nodes = {4, 3, 2, 1})]
    fn test_ed25519_shared_keys(nodes: usize) {
        generic_sphinx_suite_test::<crate::ec_groups::Ed25519Suite>(nodes)
    }

    #[cfg(feature = "x25519")]
    #[parameterized(nodes = {4, 3, 2, 1})]
    fn test_montgomery_shared_keys(nodes: usize) {
        generic_sphinx_suite_test::<crate::ec_groups::X25519Suite>(nodes)
    }
}