Removed all switch commitment usages, including restore (#841)
* Removed all switch commitment usages, including restore * Fixed pool tests * Fix keychain tests * Get rid of the switch key in keychain
This commit is contained in:
@@ -180,8 +180,6 @@ pub struct ChildKey {
|
||||
pub key_id: Identifier,
|
||||
/// The private key
|
||||
pub key: SecretKey,
|
||||
/// The key used for generating the associated switch_commit_hash
|
||||
pub switch_key: [u8; 32],
|
||||
}
|
||||
|
||||
/// An ExtendedKey is a secret key which can be used to derive new
|
||||
@@ -201,10 +199,6 @@ pub struct ExtendedKey {
|
||||
pub key: SecretKey,
|
||||
/// The chain code for the key derivation chain
|
||||
pub chain_code: [u8; 32],
|
||||
/// The key used for generating the associated switch_commit_hash
|
||||
pub switch_key: [u8; 32],
|
||||
/// The chain code for the switch key derivation chain
|
||||
pub switch_chain_code: [u8; 32],
|
||||
}
|
||||
|
||||
impl ExtendedKey {
|
||||
@@ -226,19 +220,6 @@ impl ExtendedKey {
|
||||
|
||||
let key_id = Identifier::from_secret_key(secp, &key)?;
|
||||
|
||||
// Now derive the switch_key and switch_chain_code in a similar fashion
|
||||
// but using a different key to ensure there is nothing linking
|
||||
// the secret key and the switch commit hash key for any extended key
|
||||
// we subsequently derive
|
||||
let switch_derived = blake2b(64, b"Grin/MW Switch Seed", seed);
|
||||
let switch_slice = switch_derived.as_bytes();
|
||||
|
||||
let mut switch_key: [u8; 32] = Default::default();
|
||||
(&mut switch_key).copy_from_slice(&switch_slice[0..32]);
|
||||
|
||||
let mut switch_chain_code: [u8; 32] = Default::default();
|
||||
(&mut switch_chain_code).copy_from_slice(&switch_slice[32..64]);
|
||||
|
||||
let ext_key = ExtendedKey {
|
||||
n_child: 0,
|
||||
root_key_id: key_id.clone(),
|
||||
@@ -247,10 +228,6 @@ impl ExtendedKey {
|
||||
// key and extended chain code for the key itself
|
||||
key,
|
||||
chain_code,
|
||||
|
||||
// key and extended chain code for the key for hashed switch commitments
|
||||
switch_key,
|
||||
switch_chain_code,
|
||||
};
|
||||
|
||||
Ok(ext_key)
|
||||
@@ -275,22 +252,11 @@ impl ExtendedKey {
|
||||
|
||||
let key_id = Identifier::from_secret_key(secp, &key)?;
|
||||
|
||||
let mut switch_seed = self.switch_key[..].to_vec();
|
||||
switch_seed.extend_from_slice(&n_bytes);
|
||||
|
||||
// only need a 32 byte digest here as we only need the bytes for the key itself
|
||||
// we do not need additional bytes for a derived (and unused) chain code
|
||||
let switch_derived = blake2b(32, &self.switch_chain_code[..], &switch_seed[..]);
|
||||
|
||||
let mut switch_key: [u8; 32] = Default::default();
|
||||
(&mut switch_key).copy_from_slice(&switch_derived.as_bytes()[..]);
|
||||
|
||||
Ok(ChildKey {
|
||||
n_child: n,
|
||||
root_key_id: self.root_key_id.clone(),
|
||||
key_id,
|
||||
key,
|
||||
switch_key,
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
+1
-110
@@ -214,53 +214,15 @@ impl Keychain {
|
||||
Ok(commit)
|
||||
}
|
||||
|
||||
pub fn switch_commit(&self, key_id: &Identifier) -> Result<Commitment, Error> {
|
||||
let skey = self.derived_key(key_id)?;
|
||||
let commit = self.secp.switch_commit(skey)?;
|
||||
Ok(commit)
|
||||
}
|
||||
|
||||
pub fn switch_commit_from_index(&self, index: u32) -> Result<Commitment, Error> {
|
||||
// just do this directly, because cache seems really slow for wallet reconstruct
|
||||
let skey = self.extkey.derive(&self.secp, index)?;
|
||||
let skey = skey.key;
|
||||
let commit = self.secp.switch_commit(skey)?;
|
||||
Ok(commit)
|
||||
}
|
||||
|
||||
pub fn switch_commit_hash_key(&self, key_id: &Identifier) -> Result<[u8; 32], Error> {
|
||||
// first check our overrides and just return zero key if we have an override
|
||||
// we allow keys to be overridden for testing
|
||||
// and do not care about switch_commit_hash_keys in this case
|
||||
if let Some(_) = self.key_overrides.get(key_id) {
|
||||
let key: [u8; 32] = Default::default();
|
||||
return Ok(key);
|
||||
}
|
||||
|
||||
let child_key = self.derived_child_key(key_id)?;
|
||||
Ok(child_key.switch_key)
|
||||
}
|
||||
|
||||
pub fn range_proof(
|
||||
&self,
|
||||
amount: u64,
|
||||
key_id: &Identifier,
|
||||
_commit: Commitment,
|
||||
extra_data: Option<Vec<u8>>,
|
||||
msg: ProofMessage,
|
||||
) -> Result<RangeProof, Error> {
|
||||
let skey = self.derived_key(key_id)?;
|
||||
if msg.len() == 0 {
|
||||
return Ok(self.secp.bullet_proof(amount, skey, extra_data, None));
|
||||
} else {
|
||||
if msg.len() != 64 {
|
||||
error!(LOGGER, "Bullet proof message must be 64 bytes.");
|
||||
return Err(Error::RangeProof(
|
||||
"Bullet proof message must be 64 bytes".to_string(),
|
||||
));
|
||||
}
|
||||
}
|
||||
return Ok(self.secp.bullet_proof(amount, skey, extra_data, Some(msg)));
|
||||
Ok(self.secp.bullet_proof(amount, skey, extra_data, None))
|
||||
}
|
||||
|
||||
pub fn verify_range_proof(
|
||||
@@ -623,77 +585,6 @@ mod test {
|
||||
secp.verify_from_commit(&msg, &sig, &commit).unwrap();
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test_rewind_range_proof() {
|
||||
let keychain = Keychain::from_random_seed().unwrap();
|
||||
let key_id = keychain.derive_key_id(1).unwrap();
|
||||
let commit = keychain.commit(5, &key_id).unwrap();
|
||||
let mut msg = ProofMessage::from_bytes(&[0u8; 64]);
|
||||
let extra_data = [99u8; 64];
|
||||
|
||||
let proof = keychain
|
||||
.range_proof(5, &key_id, commit, Some(extra_data.to_vec().clone()), msg)
|
||||
.unwrap();
|
||||
let proof_info = keychain
|
||||
.rewind_range_proof(&key_id, commit, Some(extra_data.to_vec().clone()), proof)
|
||||
.unwrap();
|
||||
|
||||
assert_eq!(proof_info.success, true);
|
||||
|
||||
// now check the recovered message is "empty" (but not truncated) i.e. all
|
||||
// zeroes
|
||||
//Value is in the message in this case
|
||||
assert_eq!(
|
||||
proof_info.message,
|
||||
secp::pedersen::ProofMessage::from_bytes(&[0; secp::constants::BULLET_PROOF_MSG_SIZE])
|
||||
);
|
||||
|
||||
let key_id2 = keychain.derive_key_id(2).unwrap();
|
||||
|
||||
// cannot rewind with a different nonce
|
||||
let proof_info = keychain
|
||||
.rewind_range_proof(&key_id2, commit, Some(extra_data.to_vec().clone()), proof)
|
||||
.unwrap();
|
||||
// With bullet proofs, if you provide the wrong nonce you'll get gibberish back
|
||||
// as opposed to a failure to recover the message
|
||||
assert_ne!(
|
||||
proof_info.message,
|
||||
secp::pedersen::ProofMessage::from_bytes(&[0; secp::constants::BULLET_PROOF_MSG_SIZE])
|
||||
);
|
||||
assert_eq!(proof_info.value, 0);
|
||||
|
||||
// cannot rewind with a commitment to the same value using a different key
|
||||
let commit2 = keychain.commit(5, &key_id2).unwrap();
|
||||
let proof_info = keychain
|
||||
.rewind_range_proof(&key_id, commit2, Some(extra_data.to_vec().clone()), proof)
|
||||
.unwrap();
|
||||
assert_eq!(proof_info.success, false);
|
||||
assert_eq!(proof_info.value, 0);
|
||||
|
||||
// cannot rewind with a commitment to a different value
|
||||
let commit3 = keychain.commit(4, &key_id).unwrap();
|
||||
let proof_info = keychain
|
||||
.rewind_range_proof(&key_id, commit3, Some(extra_data.to_vec().clone()), proof)
|
||||
.unwrap();
|
||||
assert_eq!(proof_info.success, false);
|
||||
assert_eq!(proof_info.value, 0);
|
||||
|
||||
// cannot rewind with wrong extra committed data
|
||||
let commit3 = keychain.commit(4, &key_id).unwrap();
|
||||
let wrong_extra_data = [98u8; 64];
|
||||
let should_err = keychain
|
||||
.rewind_range_proof(
|
||||
&key_id,
|
||||
commit3,
|
||||
Some(wrong_extra_data.to_vec().clone()),
|
||||
proof,
|
||||
)
|
||||
.unwrap();
|
||||
|
||||
assert_eq!(proof_info.success, false);
|
||||
assert_eq!(proof_info.value, 0);
|
||||
}
|
||||
|
||||
// We plan to "offset" the key used in the kernel commitment
|
||||
// so we are going to be doing some key addition/subtraction.
|
||||
// This test is mainly to demonstrate that idea that summing commitments
|
||||
|
||||
Reference in New Issue
Block a user