use rand::prelude::*;
use curve25519_dalek::constants;
use curve25519_dalek::ristretto::{CompressedRistretto};
use curve25519_dalek::scalar::Scalar;
use super::*;
use crate::context::SigningTranscript;
#[derive(Clone, Copy)] pub struct ECQVCertSecret(pub [u8; 64]);
impl From<ECQVCertSecret> for ECQVCertPublic {
fn from(secret: ECQVCertSecret) -> ECQVCertPublic {
let mut public = ECQVCertPublic([0u8; 32]);
public.0.copy_from_slice(&secret.0[0..32]);
public
}
}
#[derive(Debug, Clone, Copy, Eq, PartialEq, Hash)]
pub struct ECQVCertPublic(pub [u8; 32]);
impl ECQVCertPublic {
fn derive_e<T: SigningTranscript>(&self, mut t: T) -> Scalar {
t.challenge_scalar(b"e")
}
}
impl Keypair {
pub fn issue_ecqv_cert<T>(&self, mut t: T, seed_public_key: &PublicKey) -> ECQVCertSecret
where T: SigningTranscript
{
t.proto_name(b"ECQV");
t.commit_point(b"Issuer-pk",self.public.as_compressed());
let k = t.witness_scalar(&[ &self.secret.nonce, seed_public_key.as_compressed().as_bytes() ]);
let gamma = seed_public_key.as_point() + &k * &constants::RISTRETTO_BASEPOINT_TABLE;
let gamma = gamma.compress();
t.commit_point(b"gamma",&gamma);
let cert_public = ECQVCertPublic(gamma.0);
let s = cert_public.derive_e(t) * k + self.secret.key;
let mut cert_secret = ECQVCertSecret([0u8; 64]);
cert_secret.0[0..32].copy_from_slice(&cert_public.0[..]);
cert_secret.0[32..64].copy_from_slice(s.as_bytes());
cert_secret
}
}
impl PublicKey {
pub fn accept_ecqv_cert<T>(
&self,
mut t: T,
seed_secret_key: &SecretKey,
cert_secret: ECQVCertSecret
) -> SignatureResult<(ECQVCertPublic, SecretKey)>
where T: SigningTranscript
{
t.proto_name(b"ECQV");
t.commit_point(b"Issuer-pk",self.as_compressed());
let mut nonce = [0u8; 32];
t.witness_bytes(&mut nonce, &[&cert_secret.0[..],&seed_secret_key.nonce]);
let mut s = [0u8; 32];
s.copy_from_slice(&cert_secret.0[32..64]);
let s = Scalar::from_canonical_bytes(s).ok_or(SignatureError::ScalarFormatError) ?;
let cert_public : ECQVCertPublic = cert_secret.into();
let gamma = CompressedRistretto(cert_public.0.clone());
t.commit_point(b"gamma",&gamma);
let key = s + cert_public.derive_e(t) * seed_secret_key.key;
Ok(( cert_public, SecretKey { key, nonce } ))
}
}
impl Keypair {
pub fn issue_self_ecqv_cert<T>(&self, t: T) -> (ECQVCertPublic, SecretKey)
where T: SigningTranscript+Clone
{
let seed = Keypair::generate(thread_rng());
let cert_secret = self.issue_ecqv_cert(t.clone(), &seed.public);
self.public.accept_ecqv_cert(t, &seed.secret, cert_secret).expect("Cert issued above and known to produce signature errors; qed")
}
}
impl PublicKey {
pub fn open_ecqv_cert<T>(&self, mut t: T, cert_public: &ECQVCertPublic) -> SignatureResult<PublicKey>
where T: SigningTranscript
{
t.proto_name(b"ECQV");
t.commit_point(b"Issuer-pk",self.as_compressed());
let gamma = CompressedRistretto(cert_public.0.clone());
t.commit_point(b"gamma",&gamma);
let gamma = gamma.decompress().ok_or(SignatureError::PointDecompressionError) ?;
let point = self.as_point() + cert_public.derive_e(t) * gamma;
Ok(PublicKey::from_point(point))
}
}
#[cfg(test)]
mod tests {
use rand::prelude::*;
use super::*;
#[test]
fn ecqv_cert_public_vs_private_paths() {
let t = signing_context(b"").bytes(b"MrMeow!");
let issuer = Keypair::generate(thread_rng());
let (cert_public,secret_key) = issuer.issue_self_ecqv_cert(t.clone());
let public_key = issuer.public.open_ecqv_cert(t,&cert_public).unwrap();
assert_eq!(secret_key.to_public(), public_key);
}
}