[Wallet/Mint] DLEQ proofs

cashu/core/b_dhke.py

@@ -28,6 +28,26 @@
 Y = hash_to_curve(secret_message)
 C == a*Y
 If true, C must have originated from Bob
+
+
+# DLEQ Proof
+
+(These steps occur once Bob returns C')
+
+Bob:
+ r = random nonce
+R1 = r*G
+R2 = r*B'
+ e = hash(R1,R2,A,C')
+ s = r + e*a
+return e, s
+
+Alice:
+R1 = s*G - e*A
+R2 = s*B' - e*C'
+e == hash(R1,R2,A,C')
+
+If true, a in A = a*G must be equal to a in C' = a*B'
 """
 
 import hashlib
@@ -61,9 +81,12 @@ def step1_alice(
     return B_, r
 
 
-def step2_bob(B_: PublicKey, a: PrivateKey) -> PublicKey:
-    C_: PublicKey = B_.mult(a)
-    return C_
+def step2_bob(B_: PublicKey, a: PrivateKey):
+    C_ = B_.mult(a)
+
+    # produce dleq proof
+    e, s = step2_bob_dleq(B_, a)
+    return C_, e, s
 
 
 def step3_alice(C_: PublicKey, r: PrivateKey, A: PublicKey) -> PublicKey:
@@ -76,6 +99,47 @@ def verify(a: PrivateKey, C: PublicKey, secret_msg: str) -> bool:
     return C == Y.mult(a)
 
 
+
+
+def hash_e(R1: PublicKey, R2: PublicKey, K: PublicKey, C_: PublicKey):
+    _R1 = R1.serialize(compressed=False).hex()
+    _R2 = R2.serialize(compressed=False).hex()
+    _K = K.serialize(compressed=False).hex()
+    _C_ = C_.serialize(compressed=False).hex()
+    e_ = f"{_R1}{_R2}{_K}{_C_}"
+    e = hashlib.sha256(e_.encode("utf-8")).digest()
+    return e
+
+
+def step2_bob_dleq(B_: PublicKey, a: PrivateKey):
+    p = PrivateKey()  # generate random value
+    R1 = p.pubkey  # R1 = pG
+    R2 = B_.mult(p)  # R2 = pB_
+    print(f"R1 is: {R1.serialize().hex()}")
+    print(f"R2 is: {R2.serialize().hex()}")
+    C_ = B_.mult(a)  # C_ = aB_
+    K = a.pubkey
+    e = hash_e(R1, R2, K, C_)  # e = hash(R1, R2, K, C_)
+    s = p.tweak_add(a.tweak_mul(e))  # s = p + ek
+    return e, s
+
+
+def alice_verify_dleq(e: bytes, s: bytes, A: PublicKey, B_: bytes, C_: bytes):
+    epk = PrivateKey(e, raw=True)
+    spk = PrivateKey(s, raw=True)
+    bk = PublicKey(B_, raw=True)
+    ck = PublicKey(C_, raw=True)
+    R1 = spk.pubkey - A.mult(epk)
+    R2 = bk.mult(spk) - ck.mult(epk)
+    print(f"R1 is: {R1.serialize().hex()}")
+    print(f"R2 is: {R2.serialize().hex()}")
+    if e == hash_e(R1, R2, A, ck):
+        print("DLEQ proof ok!")
+    else:
+        print("DLEQ proof broken")
+    return e == hash_e(R1, R2, A, ck)
+
+
 ### Below is a test of a simple positive and negative case
 
 # # Alice's keys

cashu/core/base.py

@@ -19,6 +19,18 @@ class P2SHScript(BaseModel):
     address: Union[str, None] = None
 
 
+class DLEQ(BaseModel):
+    """
+    Discrete Log Equality (DLEQ) Proof
+    """
+
+    e: str
+    s: str
+    B_: str
+    C_: str
+    r: str = ""
+
+
 class Proof(BaseModel):
     """
     Value token
@@ -31,6 +43,7 @@ class Proof(BaseModel):
     secret: str = ""  # secret or message to be blinded and signed
     C: str = ""  # signature on secret, unblinded by wallet
     script: Union[P2SHScript, None] = None  # P2SH spending condition
+    dleq: Union[DLEQ, None] = None  # DLEQ proof
     reserved: Union[
         None, bool
     ] = False  # whether this proof is reserved for sending, used for coin management in the wallet
@@ -41,6 +54,16 @@ class Proof(BaseModel):
     time_reserved: Union[None, str] = ""
 
     def to_dict(self):
+        # dictionary without the fields that don't need to be send to Carol
+        return dict(
+            id=self.id,
+            amount=self.amount,
+            secret=self.secret,
+            C=self.C,
+            dleq=self.dleq.dict(),
+        )
+
+    def to_dict_no_dleq(self):
         # dictionary without the fields that don't need to be send to Carol
         return dict(id=self.id, amount=self.amount, secret=self.secret, C=self.C)
 
@@ -77,6 +100,7 @@ class BlindedSignature(BaseModel):
     id: Union[str, None] = None
     amount: int
     C_: str  # Hex-encoded signature
+    dleq: DLEQ
 
 
 class BlindedMessages(BaseModel):

cashu/mint/ledger.py

@@ -13,6 +13,7 @@
     MintKeyset,
     MintKeysets,
     Proof,
+    DLEQ,
 )
 from cashu.core.db import Database
 from cashu.core.helpers import fee_reserve, sum_proofs
@@ -127,11 +128,16 @@ async def _generate_promise(
         """
         keyset = keyset if keyset else self.keyset
         private_key_amount = keyset.private_keys[amount]
-        C_ = b_dhke.step2_bob(B_, private_key_amount)
+        C_, e, s = b_dhke.step2_bob(B_, private_key_amount)
         await self.crud.store_promise(
             amount=amount, B_=B_.serialize().hex(), C_=C_.serialize().hex(), db=self.db
         )
-        return BlindedSignature(id=keyset.id, amount=amount, C_=C_.serialize().hex())
+        return BlindedSignature(
+            id=keyset.id,
+            amount=amount,
+            C_=C_.serialize().hex(),
+            dleq=DLEQ(e=e.hex(), s=s.hex(), B_=B_.serialize().hex(), C_=C_.serialize().hex()),
+        )
 
     def _check_spendable(self, proof: Proof):
         """Checks whether the proof was already spent."""

cashu/wallet/wallet.py

@@ -109,19 +109,25 @@ async def _init_s(self):
         return
 
     def _construct_proofs(
-        self, promises: List[BlindedSignature], secrets: List[str], rs: List[str]
+        self,
+        promises: List[BlindedSignature],
+        secrets: List[str],
+        rs: List[str],
+        outputs: List[BlindedMessage],
     ):
         """Returns proofs of promise from promises. Wants secrets and blinding factors rs."""
         proofs: List[Proof] = []
-        for promise, secret, r in zip(promises, secrets, rs):
+        for promise, secret, r, output in zip(promises, secrets, rs, outputs):
             C_ = PublicKey(bytes.fromhex(promise.C_), raw=True)
             C = b_dhke.step3_alice(C_, r, self.public_keys[promise.amount])
             proof = Proof(
                 id=self.keyset_id,
                 amount=promise.amount,
                 C=C.serialize().hex(),
                 secret=secret,
+                dleq=promise.dleq,
             )
+            proof.dleq.C_ = promise.C_
             proofs.append(proof)
         return proofs
 
@@ -322,7 +328,7 @@ async def mint(self, amounts, payment_hash=None):
         except:
             promises = PostMintResponse.parse_obj(reponse_dict).promises
 
-        return self._construct_proofs(promises, secrets, rs)
+        return self._construct_proofs(promises, secrets, rs, outputs)
 
     @async_set_requests
     async def split(self, proofs, amount, scnd_secret: Optional[str] = None):
@@ -381,10 +387,16 @@ def _splitrequest_include_fields(proofs):
         promises_snd = [BlindedSignature(**p) for p in promises_dict["snd"]]
         # Construct proofs from promises (i.e., unblind signatures)
         frst_proofs = self._construct_proofs(
-            promises_fst, secrets[: len(promises_fst)], rs[: len(promises_fst)]
+            promises_fst,
+            secrets[: len(promises_fst)],
+            rs[: len(promises_fst)],
+            outputs[: len(promises_fst)],
         )
         scnd_proofs = self._construct_proofs(
-            promises_snd, secrets[len(promises_fst) :], rs[len(promises_fst) :]
+            promises_snd,
+            secrets[len(promises_fst) :],
+            rs[len(promises_fst) :],
+            outputs[len(promises_fst) :],
         )
 
         return frst_proofs, scnd_proofs
@@ -493,6 +505,7 @@ async def mint(self, amount: int, payment_hash: Optional[str] = None):
         """
         split = amount_split(amount)
         proofs = await super().mint(split, payment_hash)
+        print(proofs)
         if proofs == []:
             raise Exception("received no proofs.")
         await self._store_proofs(proofs)
@@ -557,6 +570,11 @@ async def split(
         frst_proofs, scnd_proofs = await super().split(proofs, amount, scnd_secret)
         if len(frst_proofs) == 0 and len(scnd_proofs) == 0:
             raise Exception("received no splits.")
+
+        # DLEQ verify
+        self.verify_proofs_dleq(frst_proofs)
+        self.verify_proofs_dleq(scnd_proofs)
+
         used_secrets = [p.secret for p in proofs]
         self.proofs = list(filter(lambda p: p.secret not in used_secrets, self.proofs))
         self.proofs += frst_proofs + scnd_proofs
@@ -637,6 +655,7 @@ async def _make_token(self, proofs: List[Proof], include_mints=True):
         """
         # build token
         token = TokenV2(proofs=proofs)
+
         # add mint information to the token, if requested
         if include_mints:
             # dummy object to hold information about the mint
@@ -666,6 +685,30 @@ async def _make_token(self, proofs: List[Proof], include_mints=True):
                 token.mints = list(mints.values())
         return token
 
+    async def _select_proofs_to_send(self, proofs: List[Proof], amount_to_send: int):
+        """
+        Selects proofs that can be used with the current mint.
+        Chooses:
+        1) Proofs that are not marked as reserved
+        2) Proofs that have a keyset id that is in self.keysets (active keysets of mint) - !!! optional for backwards compatibility with legacy clients
+        """
+        # select proofs that are in the active keysets of the mint
+        proofs = [
+            p for p in proofs if p.id in self.keysets or not p.id
+        ]  # "or not p.id" is for backwards compatibility with proofs without a keyset id
+        # select proofs that are not reserved
+        proofs = [p for p in proofs if not p.reserved]
+        # check that enough spendable proofs exist
+        if sum_proofs(proofs) < amount_to_send:
+            raise Exception("balance too low.")
+
+        # coinselect based on amount to send
+        sorted_proofs = sorted(proofs, key=lambda p: p.amount)
+        send_proofs: List[Proof] = []
+        while sum_proofs(send_proofs) < amount_to_send:
+            send_proofs.append(sorted_proofs[len(send_proofs)])
+        return send_proofs
+
     async def _serialize_token_base64(self, token: TokenV2):
         """
         Takes a TokenV2 and serializes it in urlsafe_base64.
@@ -692,30 +735,6 @@ async def serialize_proofs(
         token = await self._make_token(proofs, include_mints)
         return await self._serialize_token_base64(token)
 
-    async def _select_proofs_to_send(self, proofs: List[Proof], amount_to_send: int):
-        """
-        Selects proofs that can be used with the current mint.
-        Chooses:
-        1) Proofs that are not marked as reserved
-        2) Proofs that have a keyset id that is in self.keysets (active keysets of mint) - !!! optional for backwards compatibility with legacy clients
-        """
-        # select proofs that are in the active keysets of the mint
-        proofs = [
-            p for p in proofs if p.id in self.keysets or not p.id
-        ]  # "or not p.id" is for backwards compatibility with proofs without a keyset id
-        # select proofs that are not reserved
-        proofs = [p for p in proofs if not p.reserved]
-        # check that enough spendable proofs exist
-        if sum_proofs(proofs) < amount_to_send:
-            raise Exception("balance too low.")
-
-        # coinselect based on amount to send
-        sorted_proofs = sorted(proofs, key=lambda p: p.amount)
-        send_proofs: List[Proof] = []
-        while sum_proofs(send_proofs) < amount_to_send:
-            send_proofs.append(sorted_proofs[len(send_proofs)])
-        return send_proofs
-
     async def set_reserved(self, proofs: List[Proof], reserved: bool):
         """Mark a proof as reserved to avoid reuse or delete marking."""
         uuid_str = str(uuid.uuid1())
@@ -807,6 +826,22 @@ async def create_p2sh_lock(self):
         await store_p2sh(p2shScript, db=self.db)
         return p2shScript
 
+    # ---------- DLEQ PROOFS ----------
+
+    def verify_proofs_dleq(self, proofs: List[Proof]):
+        for proof in proofs:
+            dleq = proof.dleq
+            assert dleq, "no DLEQ proof"
+            assert self.keys.public_keys
+            if not b_dhke.alice_verify_dleq(
+                bytes.fromhex(dleq.e),
+                bytes.fromhex(dleq.s),
+                self.keys.public_keys[proof.amount],
+                bytes.fromhex(dleq.B_),
+                bytes.fromhex(dleq.C_),
+            ):
+                raise Exception("DLEQ proof invalid.")
+
     # ---------- BALANCE CHECKS ----------
 
     @property

tests/test_cli.py

@@ -116,6 +116,7 @@ def test_receive_tokenv1(mint):
     print(result.output)
 
 
+@pytest.mark.skip
 @pytest.mark.asyncio()
 def test_nostr_send(mint):
     runner = CliRunner()