phoenix_core/keys/
secret.rs

1// This Source Code Form is subject to the terms of the Mozilla Public
2// License, v. 2.0. If a copy of the MPL was not distributed with this
3// file, You can obtain one at http://mozilla.org/MPL/2.0/.
4//
5// Copyright (c) DUSK NETWORK. All rights reserved.
6
7use crate::{keys::hash, StealthAddress};
8
9use dusk_jubjub::{JubJubScalar, GENERATOR_EXTENDED};
10use ff::Field;
11use jubjub_schnorr::SecretKey as NoteSecretKey;
12use zeroize::Zeroize;
13
14#[cfg(feature = "rkyv-impl")]
15use rkyv::{Archive, Deserialize, Serialize};
16
17use dusk_bytes::{DeserializableSlice, Error, Serializable};
18use rand::{CryptoRng, RngCore};
19use subtle::{Choice, ConstantTimeEq};
20
21/// Secret pair of `a` and `b` defining a [`SecretKey`]
22///
23/// ## Safety
24///
25/// To ensure that no secret information lingers in memory after the variable
26/// goes out of scope, we advice calling `zeroize` before the variable goes out
27/// of scope.
28///
29/// ## Examples
30///
31/// Generate a random `SecretKey`:
32/// ```
33/// use phoenix_core::SecretKey;
34/// use rand::rngs::StdRng;
35/// use rand::SeedableRng;
36/// use zeroize::Zeroize;
37///
38/// let mut rng = StdRng::seed_from_u64(12345);
39/// let mut sk = SecretKey::random(&mut rng);
40///
41/// // do something with the sk
42///
43/// sk.zeroize();
44/// ```
45///
46/// # Note
47/// Implementing `ZeroizeOnDrop` seems like an excellent way to lift the burden
48/// of manually zeroizing after use off the user, but unfortunately it doesn't
49/// delete the memory reliably. See #244
50#[derive(Clone, Eq, Debug, Zeroize)]
51#[cfg_attr(
52    feature = "rkyv-impl",
53    derive(Archive, Serialize, Deserialize),
54    archive_attr(derive(bytecheck::CheckBytes))
55)]
56pub struct SecretKey {
57    a: JubJubScalar,
58    b: JubJubScalar,
59}
60
61impl SecretKey {
62    /// This method is used to construct a new `SecretKey` from the given
63    /// secret pair of `a` and `b`.
64    pub fn new(a: JubJubScalar, b: JubJubScalar) -> Self {
65        Self { a, b }
66    }
67
68    /// Gets `a`
69    pub fn a(&self) -> &JubJubScalar {
70        &self.a
71    }
72
73    /// Gets `b`
74    pub fn b(&self) -> &JubJubScalar {
75        &self.b
76    }
77
78    /// Deterministically create a new [`SecretKey`] from a random number
79    /// generator
80    pub fn random<R: RngCore + CryptoRng>(rng: &mut R) -> Self {
81        let a = JubJubScalar::random(&mut *rng);
82        let b = JubJubScalar::random(&mut *rng);
83
84        SecretKey::new(a, b)
85    }
86
87    /// Generates a [`NoteSecretKey`] using the `R` of the given
88    /// [`StealthAddress`]. With the formula: `note_sk = H(a · R) + b`
89    pub fn gen_note_sk(&self, stealth: &StealthAddress) -> NoteSecretKey {
90        let aR = stealth.R() * self.a;
91
92        NoteSecretKey::from(hash(&aR) + self.b)
93    }
94
95    /// Checks if `note_pk ?= (H(R · a) + b) · G`
96    pub fn owns(&self, stealth_address: &StealthAddress) -> bool {
97        let note_sk = self.gen_note_sk(stealth_address);
98
99        let note_pk = GENERATOR_EXTENDED * note_sk.as_ref();
100
101        stealth_address.note_pk().as_ref() == &note_pk
102    }
103}
104
105impl ConstantTimeEq for SecretKey {
106    fn ct_eq(&self, other: &Self) -> Choice {
107        self.a.ct_eq(&other.a) & self.b.ct_eq(&other.b)
108    }
109}
110
111impl PartialEq for SecretKey {
112    fn eq(&self, other: &Self) -> bool {
113        self.ct_eq(other).into()
114    }
115}
116
117impl Serializable<64> for SecretKey {
118    type Error = Error;
119
120    fn to_bytes(&self) -> [u8; 64] {
121        let mut bytes = [0u8; 64];
122        bytes[..32].copy_from_slice(&self.a.to_bytes());
123        bytes[32..].copy_from_slice(&self.b.to_bytes());
124        bytes
125    }
126
127    fn from_bytes(buf: &[u8; 64]) -> Result<Self, Self::Error> {
128        let a = JubJubScalar::from_slice(&buf[..32])?;
129        let b = JubJubScalar::from_slice(&buf[32..])?;
130
131        Ok(Self { a, b })
132    }
133}