[Wallet/Mint] DLEQ proofs

cashu/core/b_dhke.py

@@ -28,6 +28,26 @@
 Y = hash_to_curve(secret_message)
 C == a*Y
 If true, C must have originated from Bob
+
+
+# DLEQ Proof
+
+(These steps occur once Bob returns C')
+
+Bob:
+r = random nonce
+R1 = r*G
+R2 = r*B'
+e = hash(R1,R2,A,C')
+s = r + e*a
+return e, s
+
+Alice:
+R1 = s*G - e*A
+R2 = s*B' - e*C'
+e == hash(R1,R2,A,C')
+
+If true, a in A = a*G must be equal to a in C' = a*B'
 """
 
 import hashlib
@@ -37,43 +57,86 @@
 
 def hash_to_curve(message: bytes) -> PublicKey:
     """Generates a point from the message hash and checks if the point lies on the curve.
-    If it does not, it tries computing a new point from the hash."""
+    If it does not, iteratively tries to compute a new point from the hash."""
     point = None
     msg_to_hash = message
     while point is None:
+        _hash = hashlib.sha256(msg_to_hash).digest()
         try:
-            _hash = hashlib.sha256(msg_to_hash).digest()
+            # will error if point does not lie on curve
             point = PublicKey(b"\x02" + _hash, raw=True)
         except:
             msg_to_hash = _hash
     return point
 
 
 def step1_alice(
-    secret_msg: str, blinding_factor: bytes = None
+    secret_msg: str, blinding_factor: bytes = b""
 ) -> tuple[PublicKey, PrivateKey]:
     Y: PublicKey = hash_to_curve(secret_msg.encode("utf-8"))
     if blinding_factor:
         r = PrivateKey(privkey=blinding_factor, raw=True)
     else:
         r = PrivateKey()
-    B_: PublicKey = Y + r.pubkey
+    B_: PublicKey = Y + r.pubkey  # type: ignore
     return B_, r
 
 
-def step2_bob(B_: PublicKey, a: PrivateKey) -> PublicKey:
-    C_: PublicKey = B_.mult(a)
-    return C_
+def step2_bob(B_: PublicKey, a: PrivateKey):
+    C_ = B_.mult(a)  # type: ignore
+
+    # produce dleq proof
+    e, s = step2_bob_dleq(B_, a)
+    return C_, e, s
 
 
 def step3_alice(C_: PublicKey, r: PrivateKey, A: PublicKey) -> PublicKey:
-    C: PublicKey = C_ - A.mult(r)
+    C: PublicKey = C_ - A.mult(r)  # type: ignore
     return C
 
 
 def verify(a: PrivateKey, C: PublicKey, secret_msg: str) -> bool:
     Y: PublicKey = hash_to_curve(secret_msg.encode("utf-8"))
-    return C == Y.mult(a)
+    return C == Y.mult(a)  # type: ignore
+
+
+def hash_e(R1: PublicKey, R2: PublicKey, K: PublicKey, C_: PublicKey):
+    _R1 = R1.serialize(compressed=False).hex()
+    _R2 = R2.serialize(compressed=False).hex()
+    _K = K.serialize(compressed=False).hex()
+    _C_ = C_.serialize(compressed=False).hex()
+    e_ = f"{_R1}{_R2}{_K}{_C_}"
+    e = hashlib.sha256(e_.encode("utf-8")).digest()
+    return e
+
+
+def step2_bob_dleq(B_: PublicKey, a: PrivateKey, p_bytes: bytes = b""):
+    if p_bytes:
+        # deterministic p for testing
+        p = PrivateKey(privkey=p_bytes, raw=True)
+    else:
+        # normally, we generate a random p
+        p = PrivateKey()
+
+    R1 = p.pubkey  # R1 = pG
+    assert R1
+    R2 = B_.mult(p)  # R2 = pB_ # type: ignore
+    C_ = B_.mult(a)  # C_ = aB_ # type: ignore
+    K = a.pubkey
+    assert K
+    e = hash_e(R1, R2, K, C_)  # e = hash(R1, R2, K, C_)
+    s = p.tweak_add(a.tweak_mul(e))  # s = p + ek
+    return e, s
+
+
+def alice_verify_dleq(e: bytes, s: bytes, K: PublicKey, B_: bytes, C_: bytes):
+    epk = PrivateKey(e, raw=True)
+    spk = PrivateKey(s, raw=True)
+    bk = PublicKey(B_, raw=True)
+    ck = PublicKey(C_, raw=True)
+    R1 = spk.pubkey - K.mult(epk)  # type: ignore
+    R2 = bk.mult(spk) - ck.mult(epk)  # type: ignore
+    return e == hash_e(R1, R2, K, ck)
 
 
 ### Below is a test of a simple positive and negative case

cashu/core/base.py

@@ -23,6 +23,17 @@ class P2SHScript(BaseModel):
     address: Union[str, None] = None
 
 
+class DLEQ(BaseModel):
+    """
+    Discrete Log Equality (DLEQ) Proof
+    """
+
+    e: str
+    s: str
+    B_: str
+    C_: str
+
+
 class Proof(BaseModel):
     """
     Value token
@@ -35,6 +46,7 @@ class Proof(BaseModel):
     secret: str = ""  # secret or message to be blinded and signed
     C: str = ""  # signature on secret, unblinded by wallet
     script: Union[P2SHScript, None] = None  # P2SH spending condition
+    dleq: Union[DLEQ, None] = None  # DLEQ proof
     reserved: Union[
         None, bool
     ] = False  # whether this proof is reserved for sending, used for coin management in the wallet
@@ -44,7 +56,21 @@ class Proof(BaseModel):
     time_created: Union[None, str] = ""
     time_reserved: Union[None, str] = ""
 
-    def to_dict(self):
+    def to_dict(self, include_dleq=True):
+        # dictionary without the fields that don't need to be send to Carol
+        if not include_dleq:
+            return dict(id=self.id, amount=self.amount, secret=self.secret, C=self.C)
+
+        assert self.dleq, "DLEQ proof is missing"
+        return dict(
+            id=self.id,
+            amount=self.amount,
+            secret=self.secret,
+            C=self.C,
+            dleq=self.dleq.dict(),
+        )
+
+    def to_dict_no_dleq(self):
         # dictionary without the fields that don't need to be send to Carol
         return dict(id=self.id, amount=self.amount, secret=self.secret, C=self.C)
 
@@ -78,9 +104,10 @@ class BlindedSignature(BaseModel):
     Blinded signature or "promise" which is the signature on a `BlindedMessage`
     """
 
-    id: Union[str, None] = None
+    id: str
     amount: int
     C_: str  # Hex-encoded signature
+    dleq: Optional[DLEQ] = None  # DLEQ proof
 
 
 class BlindedMessages(BaseModel):
@@ -366,8 +393,8 @@ class TokenV3Token(BaseModel):
     mint: Optional[str] = None
     proofs: List[Proof]
 
-    def to_dict(self):
-        return_dict = dict(proofs=[p.to_dict() for p in self.proofs])
+    def to_dict(self, include_dleq=True):
+        return_dict = dict(proofs=[p.to_dict(include_dleq) for p in self.proofs])
         if self.mint:
             return_dict.update(dict(mint=self.mint))  # type: ignore
         return return_dict
@@ -381,8 +408,8 @@ class TokenV3(BaseModel):
     token: List[TokenV3Token] = []
     memo: Optional[str] = None
 
-    def to_dict(self):
-        return_dict = dict(token=[t.to_dict() for t in self.token])
+    def to_dict(self, include_dleq=True):
+        return_dict = dict(token=[t.to_dict(include_dleq) for t in self.token])
         if self.memo:
             return_dict.update(dict(memo=self.memo))  # type: ignore
         return return_dict
@@ -409,14 +436,14 @@ def deserialize(cls, tokenv3_serialized: str):
         token = json.loads(base64.urlsafe_b64decode(token_base64))
         return cls.parse_obj(token)
 
-    def serialize(self):
+    def serialize(self, include_dleq=True):
         """
         Takes a TokenV3 and serializes it as "cashuA<json_urlsafe_base64>.
         """
         prefix = "cashuA"
         tokenv3_serialized = prefix
         # encode the token as a base64 string
         tokenv3_serialized += base64.urlsafe_b64encode(
-            json.dumps(self.to_dict()).encode()
+            json.dumps(self.to_dict(include_dleq)).encode()
         ).decode()
         return tokenv3_serialized

cashu/mint/crud.py

@@ -52,18 +52,22 @@ async def store_promise(
     amount: int,
     B_: str,
     C_: str,
+    e: str = "",
+    s: str = "",
     conn: Optional[Connection] = None,
 ):
     await (conn or db).execute(
         f"""
         INSERT INTO {table_with_schema(db, 'promises')}
-          (amount, B_b, C_b)
-        VALUES (?, ?, ?)
+          (amount, B_b, C_b, e, s)
+        VALUES (?, ?, ?, ?, ?)
         """,
         (
             amount,
-            str(B_),
-            str(C_),
+            B_,
+            C_,
+            e,
+            s,
         ),
     )
 

cashu/mint/ledger.py

@@ -7,6 +7,7 @@
 from ..core import bolt11 as bolt11
 from ..core import legacy as legacy
 from ..core.base import (
+    DLEQ,
     BlindedMessage,
     BlindedSignature,
     Invoice,
@@ -141,11 +142,23 @@ async def _generate_promise(
         keyset = keyset if keyset else self.keyset
         logger.trace(f"Generating promise with keyset {keyset.id}.")
         private_key_amount = keyset.private_keys[amount]
-        C_ = b_dhke.step2_bob(B_, private_key_amount)
+        C_, e, s = b_dhke.step2_bob(B_, private_key_amount)
         await self.crud.store_promise(
-            amount=amount, B_=B_.serialize().hex(), C_=C_.serialize().hex(), db=self.db
+            amount=amount,
+            B_=B_.serialize().hex(),
+            C_=C_.serialize().hex(),
+            e=e.hex(),
+            s=s.hex(),
+            db=self.db,
+        )
+        return BlindedSignature(
+            id=keyset.id,
+            amount=amount,
+            C_=C_.serialize().hex(),
+            dleq=DLEQ(
+                e=e.hex(), s=s.hex(), B_=B_.serialize().hex(), C_=C_.serialize().hex()
+            ),
         )
-        return BlindedSignature(id=keyset.id, amount=amount, C_=C_.serialize().hex())
 
     def _check_spendable(self, proof: Proof):
         """Checks whether the proof was already spent."""

cashu/mint/migrations.py

@@ -146,3 +146,15 @@ async def m005_pending_proofs_table(db: Database) -> None:
             );
         """
     )
+
+
+async def m006_promises_dleq(db: Database):
+    """
+    Add columns for DLEQ proof to promises table.
+    """
+    await db.execute(
+        f"ALTER TABLE {table_with_schema(db, 'promises')} ADD COLUMN e TEXT"
+    )
+    await db.execute(
+        f"ALTER TABLE {table_with_schema(db, 'promises')} ADD COLUMN s TEXT"
+    )

cashu/wallet/cli/cli.py

@@ -217,7 +217,7 @@ async def balance(ctx: Context, verbose):
         print(f"Balance: {wallet.available_balance} sat")
 
 
-async def send(ctx: Context, amount: int, lock: str, legacy: bool):
+async def send(ctx: Context, amount: int, lock: str, dleq: bool, legacy: bool):
     """
     Prints token to send to stdout.
     """
@@ -237,6 +237,7 @@ async def send(ctx: Context, amount: int, lock: str, legacy: bool):
     token = await wallet.serialize_proofs(
         send_proofs,
         include_mints=True,
+        include_dleq=dleq,
     )
     print(token)
 
@@ -264,6 +265,14 @@ async def send(ctx: Context, amount: int, lock: str, legacy: bool):
     type=str,
 )
 @click.option("--lock", "-l", default=None, help="Lock tokens (P2SH).", type=str)
+@click.option(
+    "--dleq",
+    "-d",
+    default=False,
+    is_flag=True,
+    help="Send with DLEQ proof.",
+    type=bool,
+)
 @click.option(
     "--legacy",
     "-l",
@@ -291,12 +300,13 @@ async def send_command(
     nostr: str,
     nopt: str,
     lock: str,
+    dleq: bool,
     legacy: bool,
     verbose: bool,
     yes: bool,
 ):
     if not nostr and not nopt:
-        await send(ctx, amount, lock, legacy)
+        await send(ctx, amount, lock, dleq, legacy)
     else:
         await send_nostr(ctx, amount, nostr or nopt, verbose, yes)
 
@@ -504,7 +514,8 @@ async def pending(ctx: Context, legacy, number: int, offset: int):
             number,
         ):
             grouped_proofs = list(value)
-            token = await wallet.serialize_proofs(grouped_proofs)
+            # TODO: we can't return DLEQ because we don't store it
+            token = await wallet.serialize_proofs(grouped_proofs, include_dleq=False)
             # token_hidden_secret = await wallet.serialize_proofs(grouped_proofs)
             reserved_date = datetime.utcfromtimestamp(
                 int(grouped_proofs[0].time_reserved)

cashu/wallet/cli/cli_helpers.py

@@ -230,7 +230,7 @@ async def serialize_TokenV2_to_TokenV3(wallet: Wallet, tokenv2: TokenV2):
     tokenv3 = TokenV3(token=[TokenV3Token(proofs=tokenv2.proofs)])
     if tokenv2.mints:
         tokenv3.token[0].mint = tokenv2.mints[0].url
-    token_serialized = tokenv3.serialize()
+    token_serialized = tokenv3.serialize(include_dleq=False)
     return token_serialized
 
 
@@ -243,5 +243,5 @@ async def serialize_TokenV1_to_TokenV3(wallet: Wallet, tokenv1: TokenV1):
         TokenV3: TokenV3
     """
     tokenv3 = TokenV3(token=[TokenV3Token(proofs=tokenv1.__root__)])
-    token_serialized = tokenv3.serialize()
+    token_serialized = tokenv3.serialize(include_dleq=False)
     return token_serialized