Removed all switch commitment usages, including restore (#841)

* Removed all switch commitment usages, including restore
* Fixed pool tests
* Fix keychain tests
* Get rid of the switch key in keychain
This commit is contained in:
Ignotus Peverell
2018-03-22 00:10:11 +00:00
committed by GitHub
parent ff4d68d2be
commit ca8447f3bd
18 changed files with 55 additions and 921 deletions
-34
View File
@@ -180,8 +180,6 @@ pub struct ChildKey {
pub key_id: Identifier,
/// The private key
pub key: SecretKey,
/// The key used for generating the associated switch_commit_hash
pub switch_key: [u8; 32],
}
/// An ExtendedKey is a secret key which can be used to derive new
@@ -201,10 +199,6 @@ pub struct ExtendedKey {
pub key: SecretKey,
/// The chain code for the key derivation chain
pub chain_code: [u8; 32],
/// The key used for generating the associated switch_commit_hash
pub switch_key: [u8; 32],
/// The chain code for the switch key derivation chain
pub switch_chain_code: [u8; 32],
}
impl ExtendedKey {
@@ -226,19 +220,6 @@ impl ExtendedKey {
let key_id = Identifier::from_secret_key(secp, &key)?;
// Now derive the switch_key and switch_chain_code in a similar fashion
// but using a different key to ensure there is nothing linking
// the secret key and the switch commit hash key for any extended key
// we subsequently derive
let switch_derived = blake2b(64, b"Grin/MW Switch Seed", seed);
let switch_slice = switch_derived.as_bytes();
let mut switch_key: [u8; 32] = Default::default();
(&mut switch_key).copy_from_slice(&switch_slice[0..32]);
let mut switch_chain_code: [u8; 32] = Default::default();
(&mut switch_chain_code).copy_from_slice(&switch_slice[32..64]);
let ext_key = ExtendedKey {
n_child: 0,
root_key_id: key_id.clone(),
@@ -247,10 +228,6 @@ impl ExtendedKey {
// key and extended chain code for the key itself
key,
chain_code,
// key and extended chain code for the key for hashed switch commitments
switch_key,
switch_chain_code,
};
Ok(ext_key)
@@ -275,22 +252,11 @@ impl ExtendedKey {
let key_id = Identifier::from_secret_key(secp, &key)?;
let mut switch_seed = self.switch_key[..].to_vec();
switch_seed.extend_from_slice(&n_bytes);
// only need a 32 byte digest here as we only need the bytes for the key itself
// we do not need additional bytes for a derived (and unused) chain code
let switch_derived = blake2b(32, &self.switch_chain_code[..], &switch_seed[..]);
let mut switch_key: [u8; 32] = Default::default();
(&mut switch_key).copy_from_slice(&switch_derived.as_bytes()[..]);
Ok(ChildKey {
n_child: n,
root_key_id: self.root_key_id.clone(),
key_id,
key,
switch_key,
})
}
}
+1 -110
View File
@@ -214,53 +214,15 @@ impl Keychain {
Ok(commit)
}
pub fn switch_commit(&self, key_id: &Identifier) -> Result<Commitment, Error> {
let skey = self.derived_key(key_id)?;
let commit = self.secp.switch_commit(skey)?;
Ok(commit)
}
pub fn switch_commit_from_index(&self, index: u32) -> Result<Commitment, Error> {
// just do this directly, because cache seems really slow for wallet reconstruct
let skey = self.extkey.derive(&self.secp, index)?;
let skey = skey.key;
let commit = self.secp.switch_commit(skey)?;
Ok(commit)
}
pub fn switch_commit_hash_key(&self, key_id: &Identifier) -> Result<[u8; 32], Error> {
// first check our overrides and just return zero key if we have an override
// we allow keys to be overridden for testing
// and do not care about switch_commit_hash_keys in this case
if let Some(_) = self.key_overrides.get(key_id) {
let key: [u8; 32] = Default::default();
return Ok(key);
}
let child_key = self.derived_child_key(key_id)?;
Ok(child_key.switch_key)
}
pub fn range_proof(
&self,
amount: u64,
key_id: &Identifier,
_commit: Commitment,
extra_data: Option<Vec<u8>>,
msg: ProofMessage,
) -> Result<RangeProof, Error> {
let skey = self.derived_key(key_id)?;
if msg.len() == 0 {
return Ok(self.secp.bullet_proof(amount, skey, extra_data, None));
} else {
if msg.len() != 64 {
error!(LOGGER, "Bullet proof message must be 64 bytes.");
return Err(Error::RangeProof(
"Bullet proof message must be 64 bytes".to_string(),
));
}
}
return Ok(self.secp.bullet_proof(amount, skey, extra_data, Some(msg)));
Ok(self.secp.bullet_proof(amount, skey, extra_data, None))
}
pub fn verify_range_proof(
@@ -623,77 +585,6 @@ mod test {
secp.verify_from_commit(&msg, &sig, &commit).unwrap();
}
#[test]
fn test_rewind_range_proof() {
let keychain = Keychain::from_random_seed().unwrap();
let key_id = keychain.derive_key_id(1).unwrap();
let commit = keychain.commit(5, &key_id).unwrap();
let mut msg = ProofMessage::from_bytes(&[0u8; 64]);
let extra_data = [99u8; 64];
let proof = keychain
.range_proof(5, &key_id, commit, Some(extra_data.to_vec().clone()), msg)
.unwrap();
let proof_info = keychain
.rewind_range_proof(&key_id, commit, Some(extra_data.to_vec().clone()), proof)
.unwrap();
assert_eq!(proof_info.success, true);
// now check the recovered message is "empty" (but not truncated) i.e. all
// zeroes
//Value is in the message in this case
assert_eq!(
proof_info.message,
secp::pedersen::ProofMessage::from_bytes(&[0; secp::constants::BULLET_PROOF_MSG_SIZE])
);
let key_id2 = keychain.derive_key_id(2).unwrap();
// cannot rewind with a different nonce
let proof_info = keychain
.rewind_range_proof(&key_id2, commit, Some(extra_data.to_vec().clone()), proof)
.unwrap();
// With bullet proofs, if you provide the wrong nonce you'll get gibberish back
// as opposed to a failure to recover the message
assert_ne!(
proof_info.message,
secp::pedersen::ProofMessage::from_bytes(&[0; secp::constants::BULLET_PROOF_MSG_SIZE])
);
assert_eq!(proof_info.value, 0);
// cannot rewind with a commitment to the same value using a different key
let commit2 = keychain.commit(5, &key_id2).unwrap();
let proof_info = keychain
.rewind_range_proof(&key_id, commit2, Some(extra_data.to_vec().clone()), proof)
.unwrap();
assert_eq!(proof_info.success, false);
assert_eq!(proof_info.value, 0);
// cannot rewind with a commitment to a different value
let commit3 = keychain.commit(4, &key_id).unwrap();
let proof_info = keychain
.rewind_range_proof(&key_id, commit3, Some(extra_data.to_vec().clone()), proof)
.unwrap();
assert_eq!(proof_info.success, false);
assert_eq!(proof_info.value, 0);
// cannot rewind with wrong extra committed data
let commit3 = keychain.commit(4, &key_id).unwrap();
let wrong_extra_data = [98u8; 64];
let should_err = keychain
.rewind_range_proof(
&key_id,
commit3,
Some(wrong_extra_data.to_vec().clone()),
proof,
)
.unwrap();
assert_eq!(proof_info.success, false);
assert_eq!(proof_info.value, 0);
}
// We plan to "offset" the key used in the kernel commitment
// so we are going to be doing some key addition/subtraction.
// This test is mainly to demonstrate that idea that summing commitments