layerxcom / zero-chain Goto Github PK

got the following error.

thread 'bls12_381::fq::fq_repr_tests' panicked at 'assertion failed: `(left == right)`
  left: `FqRepr([5457830654796382876, 14052294085650741142, 9037930377914938456, 17127803672399921366, 8651480755814397574, 10649476550251866400])`,
 right: `FqRepr([10649476550251866400, 8651480755814397574, 17127803672399921366, 9037930377914938456, 14052294085650741142, 5457830654796382876])`', pairing/src/tests/repr.rs:53:13
note: Run with `RUST_BACKTRACE=1` environment variable to display a backtrace.
test bls12_381::fq::fq_repr_tests ... FAILED

https://github.com/LayerXcom/zero-chain/blob/master/proofs/src/primitives/mod.rs

Add low order checks to primitives at the time of reading from bytes to types.

Implement MiMC circuit in bellman.

Ensure the correct Subgroup for edwards::Point

The integration test that is reading proving_key and preapred_vk binary files, then proving and verifying is in core/proofs/src/prover.rs.

Each of read function should consume the reader data.

wasm files are included here.

Refs:

• https://docs.travis-ci.com/user/environment-variables/
• https://stackoverflow.com/questions/40250937/how-to-use-travis-ci-with-some-files-in-gitignore
• https://stackoverflow.com/questions/42612221/path-to-repository-in-travis

For simplicity, we should add the homomorphic encryption like ElGamal or lifted-ElGamal, paillier instead of pedersen commitment.

In order to decrypt the lifted-Elgamal encryption, it is needed to solve the discrete logarithm.
That is why the decryption is inefficiency. Needed to consider the bit length depending on computational times.

OsRng and ThereadRng can not be used in wasm.We will use ChachaRng for the entropy.

ref: kobigurk/wasm_proof@7389437

parameters of confidential transfers

• commitment root (anchor)
  A treestate consists of a note commitment tree and a nullifier set. The nullifier set is always updated together with the note commitment tree.
  The input treestate of each subsequent transaction in a block is the output treestate of the immediately preceding transaction.
  Namely, an anchor is the output treestate of either a previous block, or a previous JoinSplit transfer in this transaction

• nullifier
  nullifier for the input note.

• Note commitment:
  note commitment for the output note.

• public key
  a key agreement public key, used to derive the key for encryption of the transmitted notes ciphertext.

• random
  a seed that must be chosen independently at random for each transactions.

• tag
  a tag that bind h_sig to each private key of the input notes
  where h_sig = hash(random, nullifier, pubkey)
  In order to avoid malleability.

• zk proof
  a zero knowledge proof

• encrypted Note
  ciphertext components for the encrypted output note.

inputs of zk proof

primary input (public)

• commitment root
• nullifier
• Note commitment
• h_sig
• tag

auxiliary inputs (private)

• merkle path
• position
• Note_old
• Note_new
• private key
• phi (for uniquness of rho)
• merkle path enforcement

The test fails because the dummy_engine is not implemented the from_affine() for the test.

error logs

---- proof::tests::test_proof_into_from stdout ----
thread 'proof::tests::test_proof_into_from' panicked at 'not yet implemented', bellman-verifier/src/tests/dummy_engine.rs:400:9
note: Run with `RUST_BACKTRACE=1` for a backtrace.

Temporary removed because the prepared_verification_key can not read in bellman(std).

Ensure if it is needed to change public to public(crate).

But if these are changed, the test of bellman-verifier would be failed because the proof is hard-coded, it cannot access as these fields are private out of the pairing crate.

Add tests of primitives
https://github.com/LayerXcom/zero-chain/blob/master/proofs/src/primitives/mod.rs

Add the pending transfer.
In the confidential transfer function, add epoch_check, roll over pendings and update last_epoch.

pub fn confTransfer() {
  RollOver(sender_addr)
  RollOver(recipient_addr)
  ・・・
  balances[sender_addr] += Enc(-value)
  pending_transfer[recipient_addr] += Enc(value)
  ・・・
}

fn RollOver(addr) {
  let H = block.number
  let e = H/E
  if lastRollOver[addr] < e:
    Set balance[addr] += pending_transfer[addr]
    Set pending_transfer[addr] = (1, 1)
    Set lastRollOver[addr] = e
}

In the storage, Add pending_transfer_map and last_epoch_map

storage{
  pending_transfer: map address => pending_value
  last_epoch: map address => block_height
  ・・・
}

Ensure the difference between <Bls12> and <JubjubBls12> as a Engine.

Currently, the part of node-template is outdated.
Needed update in order to build and run substrate's chain.

Gav said the version of node-template would be freezed in a couple of weeks.

Ref:
https://github.com/paritytech/substrate/tree/master/node-template

update ECIES scheme to more efficiency and secure.

Implement the byte casted types of transaction components for substrate.

In order to send the own defined struct to substrate, needed to add attributes of Encode, Decode, Default.

Need to be compatible with the signed data field between signing and verifying.

In unchecked_mortal_compact_extrinsic, the signature verification is implemented here.
https://github.com/paritytech/substrate/blob/1997487ec082f436e4c3279402d4528d67c861be/core/sr-primitives/src/generic/unchecked_mortal_compact_extrinsic.rs#L85-L96

In oo7, the signing scheme is implemented here.
https://github.com/paritytech/oo7/blob/79856e56658ad2b71115af5f682ac5d71a4f9ab3/packages/oo7-substrate/src/transact.js#L27-L42

https://github.com/LayerXcom/zero-chain/blob/master/primitives/src/cm_encryption.rs

// Temporary use for enc/dec
use pcrypto::aes::{
    encrypt_128_ctr, 
    decrypt_128_ctr
};

Update key agreement process for Ed25519 that is used in substrate key store.
I can not use below one because of lack of adopting Ed25519 algorithm, only X25519.
https://briansmith.org/rustdoc/ring/agreement/fn.agree_ephemeral.html

Here is the key exchange algorithm for Ed25519.
https://github.com/DaGenix/rust-crypto/blob/master/src/ed25519.rs#L132-L151

But I need to adopt for key generation of substrate.

ref: https://crypto.stackexchange.com/questions/27866/why-curve25519-for-encryption-but-ed25519-for-signatures

Currently, there are not any overflow checking for the encrypted value. Add overflow checking or some restriction for the value.

"Zerochain" would be a our public chain using Zframe.

https://github.com/LayerXcom/zero-chain/blob/master/primitives/src/cm_encryption.rs

let mut plaintext = vec![];
        // TODO: Ensure the byteorder is correct
        (&mut plaintext).write_u64::<LittleEndian>(self.value).unwrap();
        (&mut plaintext).write_u64::<LittleEndian>(self.randomness).unwrap();  

like

init: // each account has 100 unit at the time of initialization
 	- address0: 0xaa
 	- spending_key0: 0x4ab
 	- address1: 0xab
 	- spending_key1: 0x1c8
 	・・・
 transfer 0xab<receiver> 10<amount> 0x4ab<spending_key>
 	- success
 balance 0xaa<addr> 0x4ab<spending_key>
 	- 90
 all_balances
 	- 0xaa => 0xdaf
 	- 0xab => 0xfa3
 	・・・

Inside the transfer would be

transfer(sender, receiver, amount, sk) {
 	r,v = api::get_balance(sender) // GET
 	proof = prove() // embedded params
 	enc = encrypt()
 	tx = gen_tx()
 	runtime_api::execute_block() // POST
 }

For getting the balances, needed decryption.

 get_balance(addr) -> r, v {
 	enc = get_storage(addr, from_index)
 	p = dec(enc)
 	calc(p)
 }

It makes simple to use std and no_std dependencies. It means it is enable to use same pairing and jubjub crates in both std and no_std environment.

Avoid using unwrap() in https://github.com/LayerXcom/zero-chain/blob/master/primitives/src/cm_encryption.rs

Currently, the nonces are tied with each one-time signature verification key in the executive logic, so we need to get it tied with pkd_address (aka account id).

Output files of the setup parameters and then read the file for snark proving at the time of tx generation.

Refs:

• https://github.com/Zokrates/ZoKrates/blob/b1fbe401d2466998d373e0d73331e3603b5e7cd8/zokrates_cli/src/bin.rs

It would be implemented in Rust and the interface of POST and GET would be in CLI.

https://github.com/LayerXcom/zero-chain/blob/master/runtime/src/confidential_transfer.rs