chie-crypto 0.2.0

Cryptographic primitives for CHIE Protocol
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335

//! Cryptographic commitments for zero-knowledge proofs and challenge-response.
//!
//! This module provides commitment schemes used in the bandwidth proof protocol:
//! - Hash-based commitments (Pedersen-style)
//! - Challenge-response protocols
//! - Proof-of-possession for chunk data

use crate::hash::{Hash, hash, keyed_hash};
use crate::{PublicKey, SecretKey, SignatureBytes};
use rand::Rng as _;
use thiserror::Error;

/// Commitment value (256 bits).
pub type Commitment = Hash;

/// Opening value for a commitment.
#[derive(Debug, Clone)]
pub struct CommitmentOpening {
    /// The committed value.
    pub value: Vec<u8>,
    /// Random blinding factor.
    pub blinding: [u8; 32],
}

/// Commitment error types.
#[derive(Debug, Error)]
pub enum CommitmentError {
    #[error("Invalid commitment opening")]
    InvalidOpening,

    #[error("Commitment verification failed")]
    VerificationFailed,

    #[error("Invalid proof")]
    InvalidProof,
}

/// Create a cryptographic commitment to a value.
///
/// Uses a hash-based commitment scheme: C = H(value || blinding)
pub fn commit(value: &[u8]) -> (Commitment, CommitmentOpening) {
    let mut blinding = [0u8; 32];
    rand::rng().fill_bytes(&mut blinding);

    let mut data = Vec::with_capacity(value.len() + 32);
    data.extend_from_slice(value);
    data.extend_from_slice(&blinding);

    let commitment = hash(&data);

    let opening = CommitmentOpening {
        value: value.to_vec(),
        blinding,
    };

    (commitment, opening)
}

/// Verify a commitment opening.
pub fn verify_commitment(
    commitment: &Commitment,
    opening: &CommitmentOpening,
) -> Result<(), CommitmentError> {
    let mut data = Vec::with_capacity(opening.value.len() + 32);
    data.extend_from_slice(&opening.value);
    data.extend_from_slice(&opening.blinding);

    let computed = hash(&data);

    if &computed == commitment {
        Ok(())
    } else {
        Err(CommitmentError::VerificationFailed)
    }
}

/// Proof of possession for chunk data.
///
/// This proves that a node has access to the actual chunk data
/// without revealing the data itself.
#[derive(Debug, Clone)]
pub struct ChunkPossessionProof {
    /// Challenge nonce used in the proof.
    pub challenge: [u8; 32],
    /// Response: HMAC(chunk_data, challenge).
    pub response: Hash,
}

impl ChunkPossessionProof {
    /// Generate a proof of possession for chunk data.
    ///
    /// # Arguments
    /// * `chunk_data` - The actual chunk data to prove possession of
    /// * `challenge` - Challenge nonce from the requester
    pub fn generate(chunk_data: &[u8], challenge: &[u8; 32]) -> Self {
        // Response is keyed hash: H_k(chunk_data) where k = challenge
        let response = keyed_hash(challenge, chunk_data);

        Self {
            challenge: *challenge,
            response,
        }
    }

    /// Verify the proof of possession.
    ///
    /// # Arguments
    /// * `chunk_data` - The chunk data to verify against
    pub fn verify(&self, chunk_data: &[u8]) -> Result<(), CommitmentError> {
        let expected = keyed_hash(&self.challenge, chunk_data);

        if expected == self.response {
            Ok(())
        } else {
            Err(CommitmentError::InvalidProof)
        }
    }
}

/// Challenge for requesting proof of chunk possession.
#[derive(Debug, Clone)]
pub struct ChunkChallenge {
    /// Random challenge nonce.
    pub nonce: [u8; 32],
    /// Chunk index being challenged.
    pub chunk_index: u64,
    /// Expected chunk hash (for verification).
    pub expected_hash: Hash,
}

impl ChunkChallenge {
    /// Create a new chunk challenge.
    pub fn new(chunk_index: u64, expected_hash: Hash) -> Self {
        let mut nonce = [0u8; 32];
        rand::rng().fill_bytes(&mut nonce);

        Self {
            nonce,
            chunk_index,
            expected_hash,
        }
    }

    /// Verify a chunk possession proof against this challenge.
    pub fn verify_proof(
        &self,
        chunk_data: &[u8],
        proof: &ChunkPossessionProof,
    ) -> Result<(), CommitmentError> {
        // Check the chunk hash matches
        let chunk_hash = hash(chunk_data);
        if chunk_hash != self.expected_hash {
            return Err(CommitmentError::InvalidProof);
        }

        // Check the nonce matches
        if proof.challenge != self.nonce {
            return Err(CommitmentError::InvalidProof);
        }

        // Verify the proof
        proof.verify(chunk_data)
    }
}

/// Bandwidth proof commitment for challenge-response protocol.
///
/// Used in the CHIE bandwidth proof protocol to prevent cheating.
#[derive(Debug, Clone)]
pub struct BandwidthProofCommitment {
    /// Commitment to the chunk data.
    pub chunk_commitment: Commitment,
    /// Timestamp of commitment.
    pub timestamp: i64,
    /// Chunk index.
    pub chunk_index: u64,
}

impl BandwidthProofCommitment {
    /// Create a commitment to chunk data before transfer.
    pub fn new(chunk_data: &[u8], chunk_index: u64, timestamp: i64) -> (Self, CommitmentOpening) {
        let (commitment, opening) = commit(chunk_data);

        let bw_commitment = Self {
            chunk_commitment: commitment,
            timestamp,
            chunk_index,
        };

        (bw_commitment, opening)
    }

    /// Verify the commitment against the actual chunk data.
    pub fn verify(
        &self,
        opening: &CommitmentOpening,
        expected_chunk_data: &[u8],
    ) -> Result<(), CommitmentError> {
        // Verify the commitment opening
        verify_commitment(&self.chunk_commitment, opening)?;

        // Verify the opened value matches expected chunk data
        if opening.value != expected_chunk_data {
            return Err(CommitmentError::VerificationFailed);
        }

        Ok(())
    }
}

/// Proof-of-possession for a signing key (proves knowledge of secret key).
#[derive(Debug, Clone)]
pub struct KeyPossessionProof {
    /// Public key being proven.
    pub public_key: PublicKey,
    /// Challenge nonce.
    pub challenge: [u8; 32],
    /// Signature of challenge.
    pub signature: SignatureBytes,
}

impl KeyPossessionProof {
    /// Generate a proof of possession for a signing key.
    pub fn generate(
        secret_key: &SecretKey,
        challenge: &[u8; 32],
    ) -> Result<Self, crate::SigningError> {
        use crate::signing::KeyPair;

        let keypair = KeyPair::from_secret_key(secret_key)?;
        let public_key = keypair.public_key();
        let signature = keypair.sign(challenge);

        Ok(Self {
            public_key,
            challenge: *challenge,
            signature,
        })
    }

    /// Verify the proof of possession.
    pub fn verify(&self) -> Result<(), CommitmentError> {
        use crate::signing::verify;

        verify(&self.public_key, &self.challenge, &self.signature)
            .map_err(|_| CommitmentError::InvalidProof)
    }
}

/// Generate a random challenge nonce.
pub fn generate_challenge() -> [u8; 32] {
    let mut challenge = [0u8; 32];
    rand::rng().fill_bytes(&mut challenge);
    challenge
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_commit_verify() {
        let value = b"test data to commit";
        let (commitment, opening) = commit(value);

        assert!(verify_commitment(&commitment, &opening).is_ok());

        // Wrong value should fail
        let mut wrong_opening = opening.clone();
        wrong_opening.value = b"wrong data".to_vec();
        assert!(verify_commitment(&commitment, &wrong_opening).is_err());
    }

    #[test]
    fn test_chunk_possession_proof() {
        let chunk_data = b"chunk data that needs to be proven";
        let challenge = generate_challenge();

        let proof = ChunkPossessionProof::generate(chunk_data, &challenge);
        assert!(proof.verify(chunk_data).is_ok());

        // Wrong data should fail
        assert!(proof.verify(b"wrong data").is_err());
    }

    #[test]
    fn test_chunk_challenge() {
        let chunk_data = b"test chunk data";
        let chunk_hash = hash(chunk_data);
        let challenge = ChunkChallenge::new(0, chunk_hash);

        let proof = ChunkPossessionProof::generate(chunk_data, &challenge.nonce);
        assert!(challenge.verify_proof(chunk_data, &proof).is_ok());

        // Wrong chunk should fail
        assert!(challenge.verify_proof(b"wrong chunk", &proof).is_err());
    }

    #[test]
    fn test_bandwidth_proof_commitment() {
        let chunk_data = b"bandwidth proof chunk";
        let (commitment, opening) = BandwidthProofCommitment::new(chunk_data, 0, 1234567890);

        assert!(commitment.verify(&opening, chunk_data).is_ok());
        assert!(commitment.verify(&opening, b"wrong data").is_err());
    }

    #[test]
    fn test_key_possession_proof() {
        use crate::signing::KeyPair;

        let keypair = KeyPair::generate();
        let secret = keypair.secret_key();
        let challenge = generate_challenge();

        let proof = KeyPossessionProof::generate(&secret, &challenge).unwrap();
        assert!(proof.verify().is_ok());

        // Tampered signature should fail
        let mut bad_proof = proof.clone();
        bad_proof.signature[0] ^= 1;
        assert!(bad_proof.verify().is_err());
    }

    #[test]
    fn test_different_blindings() {
        let value = b"same value";

        let (c1, _) = commit(value);
        let (c2, _) = commit(value);

        // Same value with different blindings should produce different commitments
        assert_ne!(c1, c2);
    }
}