annihilation 0.1.0-alpha.1

Annihilative Keys
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274

use curve25519_dalek::{EdwardsPoint, edwards::CompressedEdwardsY};
#[cfg(any(feature = "convergent", feature = "divergent"))]
use ed25519_dalek::{SigningKey, VerifyingKey};
use subtle::{Choice, ConstantTimeEq};
use zeroize::{Zeroize, ZeroizeOnDrop};

#[cfg(any(feature = "convergent"))]
use crate::errors::AnnihilationError;
use crate::point::Point;

/// Magic constant as a 64 bit unsigned integer value,
/// used for key point offset calculations.
pub const KEY_MAGIC: u64 = 0x9E3779B97F4A7C15;
/// Magic constant as a 64 bit unsigned integer value,
/// used for antikey point offset calculations.
pub const ANTIKEY_MAGIC: u64 = 0x61C8864680B583EB;

/// An `AnnihilativeKey` represents the proof of work solution
/// and elliptic curve point of a key or antikey.
#[derive(Clone, Debug, Zeroize, ZeroizeOnDrop)]
pub struct AnnihilativeKey {
    pub solution: AnnihilativeSolution,
    pub point: CompressedEdwardsY,
}

/// An `AnnihilativeSolution` represents the serialized
/// proof of work solution of a key or antikey.
#[derive(Clone, Debug, Zeroize, ZeroizeOnDrop)]
pub struct AnnihilativeSolution {
    pub identity: u8,
    pub commitment: u64,
    pub body: [u8; 22],
    pub constraint: u8,
}

/// Trait for deriving convergent ed25519 keys.
///
/// Any [SigningKey] or [VerifyingKey] produced by the key
/// or antikey of an annihilative pair will match, making
/// derived keys shared between both pair members.
#[cfg(feature = "convergent")]
pub trait Convergent {
    /// Derive a shared [SigningKey] from an annihilative key.
    /// The annihilative key's counterpart can derive the same
    /// signing key independently.
    fn shared_signing_key(
        &self,
        context: Option<&[u8]>,
    ) -> Result<SigningKey, AnnihilationError>;
    /// Derive a shared [VerifyingKey] from an annihilative key.
    /// The annihilative key's counterpart can derive the same
    /// verifying key independently.
    fn shared_verifying_key(
        &self,
        context: Option<&[u8]>,
    ) -> Result<VerifyingKey, AnnihilationError>;
}

/// Trait for deriving divergent ed25519 keys.
///
/// Any [SigningKey] or [VerifyingKey] produced by the key
/// or antikey of an annihilative pair will not match, making
/// derived keys unique for each pair member.
#[cfg(feature = "divergent")]
pub trait Divergent {
    /// Derive a unique [SigningKey] from an annihilative key.
    /// The annihilative key's counterpart cannot independently
    /// derive the same signing key.
    fn own_signing_key(&self, context: Option<&[u8]>) -> SigningKey;
    /// Derive a unique [VerifyingKey] from an annihilative key.
    /// The annihilative key's counterpart cannot independently
    /// derive the same verifying key.
    fn own_verifying_key(&self, context: Option<&[u8]>) -> VerifyingKey;
}

impl AnnihilativeKey {
    /// Construct an `AnnihilativeKey` by combining proof of work solution
    /// bytes and a shared base point.
    pub fn new(solution: &[u8; 32], base_point: EdwardsPoint) -> Self {
        let solution = AnnihilativeSolution::from_bytes(solution);
        // Select magic constant
        let is_key = (solution.identity & 0x80) == 0;
        let magic = if is_key { KEY_MAGIC } else { ANTIKEY_MAGIC };
        // Derive offset from commitment and magic constant
        let m_point = Point::from_u64(magic);
        let c_point = Point::from_u64(solution.commitment);
        let offset = &m_point + &c_point;
        // Point from base + offset, construct annihilative key
        let point = (base_point + offset).compress();
        AnnihilativeKey { solution, point }
    }
    /// Serialize an `AnnihilativeKey` to a 64 byte array.
    ///
    /// The first 32 bytes contain the solution, and the last 32 bytes
    /// contain the compressed curve point.
    pub fn to_bytes(&self) -> [u8; 64] {
        let mut bytes = [0u8; 64];
        bytes[0] = self.solution.identity;
        bytes[1..9].copy_from_slice(&self.solution.commitment.to_le_bytes());
        bytes[9..31].copy_from_slice(&self.solution.body);
        bytes[31] = self.solution.constraint;
        bytes[32..].copy_from_slice(self.point.as_bytes());
        bytes
    }
    /// Deserialize an `AnnihilativeKey` from a 64 byte array.
    ///
    /// The first 32 bytes are interpreted as the solution, and the last
    /// 32 bytes as the compressed curve point.
    pub fn from_bytes(data: &[u8; 64]) -> Self {
        let mut solution_bytes = [0u8; 32];
        solution_bytes.copy_from_slice(&data[0..32]);
        let mut point_bytes = [0u8; 32];
        point_bytes.copy_from_slice(&data[32..]);
        Self {
            solution: AnnihilativeSolution::from_bytes(&solution_bytes),
            point: CompressedEdwardsY(point_bytes),
        }
    }
}

impl AnnihilativeSolution {
    /// Serialize an `AnnihilativeSolution` to a 32 byte array.
    pub fn to_bytes(&self) -> [u8; 32] {
        let mut bytes = [0u8; 32];
        bytes[0] = self.identity;
        bytes[1..9].copy_from_slice(&self.commitment.to_le_bytes());
        bytes[9..31].copy_from_slice(&self.body);
        bytes[31] = self.constraint;
        bytes
    }
    /// Deserialize an `AnnihilativeSolution` from a 32 byte array.
    pub fn from_bytes(data: &[u8; 32]) -> Self {
        let mut body = [0u8; 22];
        body.copy_from_slice(&data[9..31]);
        let commitment = u64::from_le_bytes(
            data[1..9]
                .try_into()
                .expect("data should contain a commitment"),
        );
        Self {
            identity: data[0],
            commitment,
            body,
            constraint: data[31],
        }
    }
}

impl ConstantTimeEq for AnnihilativeKey {
    fn ct_eq(&self, other: &Self) -> Choice {
        // Compare both the solution and the point in constant time
        self.solution.ct_eq(&other.solution)
            & self.point.as_bytes().ct_eq(other.point.as_bytes())
    }
}

impl PartialEq for AnnihilativeKey {
    fn eq(&self, other: &Self) -> bool {
        self.ct_eq(other).into()
    }
}

impl Eq for AnnihilativeKey {}

impl ConstantTimeEq for AnnihilativeSolution {
    fn ct_eq(&self, other: &Self) -> Choice {
        self.to_bytes().ct_eq(&other.to_bytes())
    }
}

impl PartialEq for AnnihilativeSolution {
    fn eq(&self, other: &Self) -> bool {
        self.ct_eq(other).into()
    }
}

impl Eq for AnnihilativeSolution {}

#[cfg(test)]
mod tests {
    use super::*;
    use curve25519_dalek::edwards::CompressedEdwardsY;
    use hex_literal::hex;

    /// Construct a test key from static values and hex string literals.
    fn test_key() -> AnnihilativeKey {
        let solution = AnnihilativeSolution {
            identity: 96,
            commitment: 5764305080309989910,
            body: hex!("f0ba820d877d17bde069485f536653c1acd2242d9a10"),
            constraint: 16,
        };
        let point = CompressedEdwardsY::from_slice(&hex!(
            "3c7f61f8aa2405f42d815e310a6091c7fb94df764c296a7c777cd108bdae7742"
        ))
        .expect("hex string should represent curve point bytes");
        AnnihilativeKey { solution, point }
    }

    /// Construct a test antikey from static values and hex string literals.
    fn test_antikey() -> AnnihilativeKey {
        let solution = AnnihilativeSolution {
            identity: 133,
            commitment: 5230833101896872809,
            body: hex!("f3ea7f7f9d35dac8904beec93fec5ff0b41e852b7d1b"),
            constraint: 16,
        };
        let point = CompressedEdwardsY::from_slice(&hex!(
            "9dd0d77e09d089fc4fff6c49c2d5c9f5b515369bf532caaf739a7e1ec3e6b3ec"
        ))
        .expect("hex string should represent curve point bytes");
        AnnihilativeKey { solution, point }
    }

    /// Decompress a test shared base point from a static hex string literal.
    fn test_base_point() -> EdwardsPoint {
        CompressedEdwardsY::from_slice(&hex!(
            "40568aff34637712aa09c5adc3f9915ec454a3000b705283666a7dcd488c66ad"
        ))
        .expect("hex string should represent curve point bytes")
        .decompress()
        .expect("invalid y-coordinate for curve point")
    }

    #[test]
    fn test_new() {
        let base_point = test_base_point();
        // Construct key from solution bytes and shared base point
        let key_solution = &test_key().solution;
        let key_data = &key_solution.to_bytes();
        let key = AnnihilativeKey::new(&key_data, base_point);
        // Construct antikey from solution bytes and shared base point
        let antikey_solution = &test_antikey().solution;
        let antikey_data = &antikey_solution.to_bytes();
        let antikey = AnnihilativeKey::new(&antikey_data, base_point);
        // Different commitments + magic constants must produce
        // different points for key and antikey.
        assert_ne!(key.point, antikey.point);
        // Solutions must match input
        assert_eq!(&key.solution, key_solution);
        assert_eq!(&antikey.solution, antikey_solution);
    }

    #[test]
    fn test_key_to_from_bytes() {
        let key = test_key();
        // Convert the key to and from bytes
        let bytes = key.to_bytes();
        let recovered = AnnihilativeKey::from_bytes(&bytes);
        // Recovered key must match original
        assert_eq!(recovered, key);
    }

    #[test]
    fn test_solution_to_from_bytes() {
        let key_solution = &test_key().solution;
        let bytes = key_solution.to_bytes();
        let recovered = AnnihilativeSolution::from_bytes(&bytes);
        // Recovered solution must match original
        assert_eq!(&recovered, key_solution);
    }

    #[test]
    fn test_clone_eq() {
        let key = test_key();
        let antikey = test_antikey();
        // Clone the key
        let cloned = key.clone();
        // Key and its clone must match (constant time)
        assert_eq!(key, cloned);
        // Key and antikey must not match (constant time)
        assert_ne!(key, antikey);
    }
}