Merge pull request #88 from hyperledger-labs/random-ecdh-key

Support ephemeral private key for generating ecdh shared key for encryption
hyperledger-labs · Sep 30, 2024 · 6bb25ac · 6bb25ac
2 parents bea726d + 1e9addb
commit 6bb25ac
Show file tree

Hide file tree

Showing 28 changed files with 1,254 additions and 945 deletions.
diff --git a/go-sdk/integration-test/e2e_test.go b/go-sdk/integration-test/e2e_test.go
@@ -217,6 +217,7 @@ func (s *E2ETestSuite) TestZeto_2_SuccessfulProving() {
 	outputCommitments := []*big.Int{output1, output2}
 
 	encryptionNonce := crypto.NewEncryptionNonce()
+	ephemeralKeypair := testutils.NewKeypair()
 
 	witnessInputs := map[string]interface{}{
 		"inputCommitments":      inputCommitments,
@@ -228,6 +229,7 @@ func (s *E2ETestSuite) TestZeto_2_SuccessfulProving() {
 		"outputSalts":           []*big.Int{salt3, salt4},
 		"outputOwnerPublicKeys": [][]*big.Int{{receiver.PublicKey.X, receiver.PublicKey.Y}, {sender.PublicKey.X, sender.PublicKey.Y}},
 		"encryptionNonce":       encryptionNonce,
+		"ecdhPrivateKey":        ephemeralKeypair.PrivateKey.Scalar().BigInt(),
 	}
 
 	startTime := time.Now()
@@ -242,7 +244,7 @@ func (s *E2ETestSuite) TestZeto_2_SuccessfulProving() {
 	assert.Equal(s.T(), 3, len(proof.Proof.A))
 	assert.Equal(s.T(), 3, len(proof.Proof.B))
 	assert.Equal(s.T(), 3, len(proof.Proof.C))
-	assert.Equal(s.T(), 12, len(proof.PubSignals))
+	assert.Equal(s.T(), 14, len(proof.PubSignals))
 
 	// the receiver would be able to get the encrypted values and salts
 	// from the transaction events
@@ -256,7 +258,7 @@ func (s *E2ETestSuite) TestZeto_2_SuccessfulProving() {
 	// the first two elements in the public signals are the encrypted value and salt
 	// for the first output. decrypt using the receiver's private key and compare with
 	// the UTXO hash
-	secret := crypto.GenerateECDHSharedSecret(receiver.PrivateKey, sender.PublicKey)
+	secret := crypto.GenerateECDHSharedSecret(receiver.PrivateKey, ephemeralKeypair.PublicKey)
 	decrypted, err := crypto.PoseidonDecrypt(encryptedValues, []*big.Int{secret.X, secret.Y}, encryptionNonce, 4)
 	assert.NoError(s.T(), err)
 	assert.Equal(s.T(), outputValues[0].String(), decrypted[0].String())
@@ -403,6 +405,7 @@ func (s *E2ETestSuite) TestZeto_4_SuccessfulProving() {
 	outputCommitments := []*big.Int{output1, output2}
 
 	encryptionNonce := crypto.NewEncryptionNonce()
+	ephemeralKeypair := testutils.NewKeypair()
 
 	proof1Siblings := make([]*big.Int, len(circomProof1.Siblings)-1)
 	for i, s := range circomProof1.Siblings[0 : len(circomProof1.Siblings)-1] {
@@ -426,6 +429,7 @@ func (s *E2ETestSuite) TestZeto_4_SuccessfulProving() {
 		"outputSalts":           []*big.Int{salt3, salt4},
 		"outputOwnerPublicKeys": [][]*big.Int{{receiver.PublicKey.X, receiver.PublicKey.Y}, {sender.PublicKey.X, sender.PublicKey.Y}},
 		"encryptionNonce":       encryptionNonce,
+		"ecdhPrivateKey":        ephemeralKeypair.PrivateKey.Scalar().BigInt(),
 	}
 
 	startTime := time.Now()
@@ -440,7 +444,7 @@ func (s *E2ETestSuite) TestZeto_4_SuccessfulProving() {
 	assert.Equal(s.T(), 3, len(proof.Proof.A))
 	assert.Equal(s.T(), 3, len(proof.Proof.B))
 	assert.Equal(s.T(), 3, len(proof.Proof.C))
-	assert.Equal(s.T(), 15, len(proof.PubSignals))
+	assert.Equal(s.T(), 17, len(proof.PubSignals))
 }
 
 func (s *E2ETestSuite) TestZeto_5_SuccessfulProving() {

diff --git a/solidity/contracts/lib/interfaces/izeto_encrypted.sol b/solidity/contracts/lib/interfaces/izeto_encrypted.sol
@@ -22,6 +22,7 @@ interface IZetoEncrypted is IZetoBase {
         uint256[] inputs,
         uint256[] outputs,
         uint256 encryptionNonce,
+        uint256[2] ecdhPublicKey,
         uint256[] encryptedValues,
         address indexed submitter,
         bytes data

diff --git a/solidity/contracts/lib/verifier_anon_enc.sol b/solidity/contracts/lib/verifier_anon_enc.sol
@@ -43,44 +43,50 @@ contract Groth16Verifier_AnonEnc {
     uint256 constant deltay2 = 8495653923123431417604973247489272438418190587263600148770280649306958101930;
 
 
-    uint256 constant IC0x = 15520848054661511274945320545667385548601069271438999324366330478358568711164;
-    uint256 constant IC0y = 21157706785088596766640646951118458870358425037843657358834285142096534241567;
+    uint256 constant IC0x = 19738436812852754138717560068465488575650466935897866784235851363188283681055;
+    uint256 constant IC0y = 20276710811895297863478242769429631408343958016139841779904405850032032045827;
 
-    uint256 constant IC1x = 8426080128821983408742228948574443657002575937683949448708665466581838540418;
-    uint256 constant IC1y = 2961289054807278996124904978204815851370317973256653070013442261730110386382;
+    uint256 constant IC1x = 12004009131111215646999120161880487388502192413854826301881504538550543450502;
+    uint256 constant IC1y = 5034584841161295539588326933292197987831538710023697101766083868565246659218;
 
-    uint256 constant IC2x = 16846214183034172122880181483898983231574288374891417794445456783443571203454;
-    uint256 constant IC2y = 4795943127049292018241039074381217225273912831887247849230603976368095834324;
+    uint256 constant IC2x = 11744025093458990804167237970026144007871637967897648400215565295861061328335;
+    uint256 constant IC2y = 2248857409928028413263909113804746755226258898653477806239821342300643857095;
 
-    uint256 constant IC3x = 10240231648004351535934471246939085350017538992419843720960233896502823753829;
-    uint256 constant IC3y = 918298420507614225062851310351147657365217324218976043633227084147487484538;
+    uint256 constant IC3x = 1027866460885921739427963398134501038455918532796341088945078011511621442676;
+    uint256 constant IC3y = 5958883990350165479676838573621528879534261429892979129692820679034946644717;
 
-    uint256 constant IC4x = 2676903711586497323483713249304841063436832787967161822350958984717228651508;
-    uint256 constant IC4y = 11366926733173287985429506187405640951452084685400170840758508049511684394323;
+    uint256 constant IC4x = 21477343731350881336427671728879526073055001513676414044100634074555163654487;
+    uint256 constant IC4y = 975839980071906751516077094474212502568600329809457289967004593943814041533;
 
-    uint256 constant IC5x = 7501808156091619633948887448038018539596703524171333033985091618683129395104;
-    uint256 constant IC5y = 15183325431102096756416380632145698394481557936329850246257270656919651359614;
+    uint256 constant IC5x = 10745395673337059701699795673419720732231823654131369713589820865994307217089;
+    uint256 constant IC5y = 991956397633440927392694166348862131981180374714009247953939276179698863313;
 
-    uint256 constant IC6x = 16142642127854572324146698192700027612727186725464085127687467897687720973766;
-    uint256 constant IC6y = 4517714220502032665709414305462814581261203269046555880307186415606032799074;
+    uint256 constant IC6x = 1672993394090581484120407360563051967903199184399912366269853108749767520052;
+    uint256 constant IC6y = 2164345873917124991571819758981721198425688586574947724181752888003788143824;
 
-    uint256 constant IC7x = 1755538289631427930924987331320419179208761530645468129027087746202210024610;
-    uint256 constant IC7y = 12173734026028648655823071635152323182912152859934466692190630751344902966218;
+    uint256 constant IC7x = 12851905556792884689855342999140438817587827047283740173600609203898826077791;
+    uint256 constant IC7y = 2928106356023086030701978715110626259062951617739902988557680022327927922648;
 
-    uint256 constant IC8x = 7848298938728453306694415912843236021632832336242686994829367580246363462232;
-    uint256 constant IC8y = 14621047188318073218187719299332281645270167229458286064175382232430986150614;
+    uint256 constant IC8x = 1706366517711033642836339515106072692739807158278497001454479300738236232683;
+    uint256 constant IC8y = 16700903182897452990475040323204325018874215917926885692984146211640664248939;
 
-    uint256 constant IC9x = 5702664871943851440604579505620421848165916037464510240027885273509338564683;
-    uint256 constant IC9y = 4155173472639459280548275148817066405334382784770925752738906208871756122916;
+    uint256 constant IC9x = 19101508791113451928961082481025527911094003843281774332989233416940984939257;
+    uint256 constant IC9y = 21697565471392202731806697866311578445068434145060675485941899096932688363780;
 
-    uint256 constant IC10x = 11951237379444909975940139423428082852090010220501184525120096272922224325380;
-    uint256 constant IC10y = 7330212864492454320053389793155451329372996827534004209553742378250571973798;
+    uint256 constant IC10x = 19730275336196180738068616492761799716598666564420842355043346059462631887595;
+    uint256 constant IC10y = 16685285536790785249111663346085181130998577327076396224848784078816064185361;
 
-    uint256 constant IC11x = 17758792179933266126153564380301713721054370865026967564744749205362384449189;
-    uint256 constant IC11y = 20123875363051656182295676194267758869550749528323178608799833168744783048873;
+    uint256 constant IC11x = 7617913501130858003386168099320868449737268059133253154619134544472248055105;
+    uint256 constant IC11y = 7972962376779726951865679647174563612838286095297842951560535589126110704430;
 
-    uint256 constant IC12x = 16531299530766176947215740556184329586746603539886897864186093216474595540644;
-    uint256 constant IC12y = 8268807341917110402770543111430324212645734302589993091794921535136544275649;
+    uint256 constant IC12x = 12544403142863928402358237586570057011271857580491825726062907284786959213913;
+    uint256 constant IC12y = 6822386508465769764381472926650183520080357052212751223638195245287957269971;
+
+    uint256 constant IC13x = 18940507486165234508918415676788929441013178061873512240392411069614035082362;
+    uint256 constant IC13y = 16781396210596043591429632308560467689975084335009897683626466396650016291114;
+
+    uint256 constant IC14x = 558712144346877070501655608109394614280454755351878785357769476496746188097;
+    uint256 constant IC14y = 11446848258088708077539993154875274206911247468515662688034438075323420564863;
 
 
     // Memory data
@@ -89,7 +95,7 @@ contract Groth16Verifier_AnonEnc {
 
     uint16 constant pLastMem = 896;
 
-    function verifyProof(uint[2] calldata _pA, uint[2][2] calldata _pB, uint[2] calldata _pC, uint[12] calldata _pubSignals) public view returns (bool) {
+    function verifyProof(uint[2] calldata _pA, uint[2][2] calldata _pB, uint[2] calldata _pC, uint[14] calldata _pubSignals) public view returns (bool) {
         assembly {
             function checkField(v) {
                 if iszero(lt(v, r)) {
@@ -157,6 +163,10 @@ contract Groth16Verifier_AnonEnc {
 
                 g1_mulAccC(_pVk, IC12x, IC12y, calldataload(add(pubSignals, 352)))
 
+                g1_mulAccC(_pVk, IC13x, IC13y, calldataload(add(pubSignals, 384)))
+
+                g1_mulAccC(_pVk, IC14x, IC14y, calldataload(add(pubSignals, 416)))
+
 
                 // -A
                 mstore(_pPairing, calldataload(pA))
@@ -236,6 +246,10 @@ contract Groth16Verifier_AnonEnc {
 
             checkField(calldataload(add(_pubSignals, 384)))
 
+            checkField(calldataload(add(_pubSignals, 416)))
+
+            checkField(calldataload(add(_pubSignals, 448)))
+
 
             // Validate all evaluations
             let isValid := checkPairing(_pA, _pB, _pC, _pubSignals, pMem)