ligo/src/lib_crypto/crypto_box.ml

(**************************************************************************)
(*                                                                        *)
(*    Copyright (c) 2014 - 2018.                                          *)
(*    Dynamic Ledger Solutions, Inc. <contact@tezos.com>                  *)
(*                                                                        *)
(*    All rights reserved. No warranty, explicit or implicit, provided.   *)
(*                                                                        *)
(**************************************************************************)

(** Tezos - X25519/XSalsa20-Poly1305 cryptography *)

type secret_key = Sodium.Box.secret_key
type public_key = Sodium.Box.public_key
type channel_key = Sodium.Box.channel_key
type nonce = Sodium.Box.nonce
type target = Z.t

module Public_key_hash = Blake2B.Make (Base58) (struct
    let name = "Crypto_box.Public_key_hash"
    let title = "A Cryptobox public key ID"
    let b58check_prefix = Base58.Prefix.cryptobox_public_key_hash
    let size = Some 16
  end)

let () =
  Base58.check_encoded_prefix Public_key_hash.b58check_encoding "id" 30

let hash pk =
  Public_key_hash.hash_bytes [Sodium.Box.Bigbytes.of_public_key pk]

let random_keypair () =
  let sk, pk = Sodium.Box.random_keypair () in
  sk, pk, hash pk
let random_nonce = Sodium.Box.random_nonce
let increment_nonce = Sodium.Box.increment_nonce
let box = Sodium.Box.Bigbytes.box
let box_open sk pk msg nonce =
  try Some (Sodium.Box.Bigbytes.box_open sk pk msg nonce) with
  | Sodium.Verification_failure -> None

let precompute = Sodium.Box.precompute
let fast_box = Sodium.Box.Bigbytes.fast_box
let fast_box_open ck msg nonce =
  try Some (Sodium.Box.Bigbytes.fast_box_open ck msg nonce) with
  | Sodium.Verification_failure -> None

let compare_target hash target =
  let hash = Z.of_bits (Blake2B.to_string hash) in
  Z.compare hash target <= 0

let make_target f =
  if f < 0. || 256. < f then invalid_arg "Cryptobox.target_of_float" ;
  let frac, shift = modf f in
  let shift = int_of_float shift in
  let m =
    Z.of_int64 @@
    if frac = 0. then
      Int64.(pred (shift_left 1L 54))
    else
      Int64.of_float (2. ** (54. -. frac))
  in
  if shift < 202 then
    Z.logor
      (Z.shift_left m (202 - shift))
      (Z.pred @@ Z.shift_left Z.one (202 - shift))
  else
    Z.shift_right m (shift - 202)

let default_target = make_target 24.

let check_proof_of_work pk nonce target =
  let hash =
    Blake2B.hash_bytes [
      Sodium.Box.Bigbytes.of_public_key pk ;
      Sodium.Box.Bigbytes.of_nonce nonce ;
    ] in
  compare_target hash target

let generate_proof_of_work ?max pk target =
  let may_interupt =
    match max with
    | None -> (fun _ -> ())
    | Some max -> (fun cpt -> if max < cpt then raise Not_found) in
  let rec loop nonce cpt =
    may_interupt cpt ;
    if check_proof_of_work pk nonce target then
      nonce
    else
      loop (increment_nonce nonce) (cpt + 1) in
  loop (random_nonce ()) 0

let public_key_encoding =
  let open Data_encoding in
  conv
    Sodium.Box.Bigbytes.of_public_key
    Sodium.Box.Bigbytes.to_public_key
    (Fixed.bytes Sodium.Box.public_key_size)

let secret_key_encoding =
  let open Data_encoding in
  conv
    Sodium.Box.Bigbytes.of_secret_key
    Sodium.Box.Bigbytes.to_secret_key
    (Fixed.bytes Sodium.Box.secret_key_size)

let nonce_encoding =
  let open Data_encoding in
  conv
    Sodium.Box.Bigbytes.of_nonce
    Sodium.Box.Bigbytes.to_nonce
    (Fixed.bytes Sodium.Box.nonce_size)
crypto box initial utility functions for encrypted communication using crypto box (X25519/XSalsa20-Poly1305) 2016-11-03 22:15:31 +04:00			`(**************************************************************************)`
			`(* *)`
Update copyright notice (2018) 2018-02-06 00:17:03 +04:00			`(* Copyright (c) 2014 - 2018. *)`
crypto box initial utility functions for encrypted communication using crypto box (X25519/XSalsa20-Poly1305) 2016-11-03 22:15:31 +04:00			`(* Dynamic Ledger Solutions, Inc. <contact@tezos.com> *)`
			`(* *)`
			`(* All rights reserved. No warranty, explicit or implicit, provided. *)`
			`(* *)`
			`(**************************************************************************)`

			`(** Tezos - X25519/XSalsa20-Poly1305 cryptography *)`

			`type secret_key = Sodium.Box.secret_key`
			`type public_key = Sodium.Box.public_key`
			`type channel_key = Sodium.Box.channel_key`
			`type nonce = Sodium.Box.nonce`
Shell: Add `Cryptobox.target_of_float` [target_of_float f] is `2 ^ (256 - f)`. 2017-01-23 14:09:51 +04:00			`type target = Z.t`
crypto box initial utility functions for encrypted communication using crypto box (X25519/XSalsa20-Poly1305) 2016-11-03 22:15:31 +04:00
Jbuilder: split `src/utils/` in multiple OPAM packages * `lib_stdlib`: basic extended OCaml stdlib and generic data structures * `lib_data_encoding`: almost independant 'Data_encoding' * `lib_error_monad`: almost independant 'Error_monad' * `lib_stdlib_lwt`: extended Lwt library * `lib_crypto`: all the crypto stuff (hashing, signing, cryptobox). * `lib_base`: - basic type definitions (Block_header, Operation, ...) - a module `TzPervasives` to bind them all and to be the single module opened everywhere. In the process, I splitted `Tezos_data` and `Hash` in multiple submodules, thus removing a lot of `-open`. The following two modules may not have found their place yet: - Base58 (currently in `lib_crypto`) - Cli_entries (currently in `lib_stdlib_lwt`) 2017-11-27 09:13:12 +04:00			`module Public_key_hash = Blake2B.Make (Base58) (struct`
Shell: add `Crypto_box.Public_key_hash` 2017-01-14 16:13:49 +04:00			`let name = "Crypto_box.Public_key_hash"`
			`let title = "A Cryptobox public key ID"`
Switch to Base58. Base48 was fun but... hell yeah... let's stay standard. Public encoding of hash: ``` Block: "B..." (len: 51) Operation: "o..." (len: 51) Protocol: "P..." (len: 51) Ed25519: "tz1.." (len: 36) Contract: "TZ1.." (len: 36) NetworkdId: "id.." (len: 30) ``` Other internal prefixes (in the RPC): ``` Hash of Michelson's expression: "expr..." (len: 54) Ed25519 public key: "edpk..." (len: 54) Ed25519 secret key: "edsk..." (len: 98) Ed25519 signature: "edsig.." (len: 99) Hash of a random seed nonce: "nce...." (len: 53) Random seed: "rng...." (len: 53) ``` 2017-02-19 21:22:32 +04:00			`let b58check_prefix = Base58.Prefix.cryptobox_public_key_hash`
Shell: add `Crypto_box.Public_key_hash` 2017-01-14 16:13:49 +04:00			`let size = Some 16`
			`end)`

Switch to Base58. Base48 was fun but... hell yeah... let's stay standard. Public encoding of hash: ``` Block: "B..." (len: 51) Operation: "o..." (len: 51) Protocol: "P..." (len: 51) Ed25519: "tz1.." (len: 36) Contract: "TZ1.." (len: 36) NetworkdId: "id.." (len: 30) ``` Other internal prefixes (in the RPC): ``` Hash of Michelson's expression: "expr..." (len: 54) Ed25519 public key: "edpk..." (len: 54) Ed25519 secret key: "edsk..." (len: 98) Ed25519 signature: "edsig.." (len: 99) Hash of a random seed nonce: "nce...." (len: 53) Random seed: "rng...." (len: 53) ``` 2017-02-19 21:22:32 +04:00			`let () =`
			`Base58.check_encoded_prefix Public_key_hash.b58check_encoding "id" 30`

Shell: add `Crypto_box.Public_key_hash` 2017-01-14 16:13:49 +04:00			`let hash pk =`
			`Public_key_hash.hash_bytes [Sodium.Box.Bigbytes.of_public_key pk]`

			`let random_keypair () =`
			`let sk, pk = Sodium.Box.random_keypair () in`
			`sk, pk, hash pk`
crypto box initial utility functions for encrypted communication using crypto box (X25519/XSalsa20-Poly1305) 2016-11-03 22:15:31 +04:00			`let random_nonce = Sodium.Box.random_nonce`
			`let increment_nonce = Sodium.Box.increment_nonce`
			`let box = Sodium.Box.Bigbytes.box`
handle decryption exceptions 2016-11-08 02:38:02 +04:00			`let box_open sk pk msg nonce =`
			`try Some (Sodium.Box.Bigbytes.box_open sk pk msg nonce) with`
Reindent all files Now `make test` fails when sources are not indented correctly, the indentation test is also executed in the CI. 2017-11-13 19:34:00 +04:00			`\| Sodium.Verification_failure -> None`
Merge remote-tracking branch 'ocp/crypto-box' 2016-11-16 04:19:13 +04:00
Shell: add `Crypto_box.Public_key_hash` 2017-01-14 16:13:49 +04:00			`let precompute = Sodium.Box.precompute`
			`let fast_box = Sodium.Box.Bigbytes.fast_box`
			`let fast_box_open ck msg nonce =`
			`try Some (Sodium.Box.Bigbytes.fast_box_open ck msg nonce) with`
Reindent all files Now `make test` fails when sources are not indented correctly, the indentation test is also executed in the CI. 2017-11-13 19:34:00 +04:00			`\| Sodium.Verification_failure -> None`
Shell: add `Crypto_box.Public_key_hash` 2017-01-14 16:13:49 +04:00
Shell: reduce difficulty for P2P identity... ... until we properly store the nonce in the configuration file, together with the expected difficulty. 2016-11-25 21:03:57 +04:00			`let compare_target hash target =`
Jbuilder: split `src/utils/` in multiple OPAM packages * `lib_stdlib`: basic extended OCaml stdlib and generic data structures * `lib_data_encoding`: almost independant 'Data_encoding' * `lib_error_monad`: almost independant 'Error_monad' * `lib_stdlib_lwt`: extended Lwt library * `lib_crypto`: all the crypto stuff (hashing, signing, cryptobox). * `lib_base`: - basic type definitions (Block_header, Operation, ...) - a module `TzPervasives` to bind them all and to be the single module opened everywhere. In the process, I splitted `Tezos_data` and `Hash` in multiple submodules, thus removing a lot of `-open`. The following two modules may not have found their place yet: - Base58 (currently in `lib_crypto`) - Cli_entries (currently in `lib_stdlib_lwt`) 2017-11-27 09:13:12 +04:00			`let hash = Z.of_bits (Blake2B.to_string hash) in`
Shell: Add `Cryptobox.target_of_float` [target_of_float f] is `2 ^ (256 - f)`. 2017-01-23 14:09:51 +04:00			`Z.compare hash target <= 0`

			`let make_target f =`
			`if f < 0. \|\| 256. < f then invalid_arg "Cryptobox.target_of_float" ;`
			`let frac, shift = modf f in`
			`let shift = int_of_float shift in`
			`let m =`
			`Z.of_int64 @@`
			`if frac = 0. then`
			`Int64.(pred (shift_left 1L 54))`
			`else`
			`Int64.of_float (2. ** (54. -. frac))`
			`in`
			`if shift < 202 then`
			`Z.logor`
			`(Z.shift_left m (202 - shift))`
			`(Z.pred @@ Z.shift_left Z.one (202 - shift))`
			`else`
			`Z.shift_right m (shift - 202)`
default target takes a couple seconds on my laptop to generate a proof of work with this target 2016-11-19 02:07:27 +04:00
Shell: Add `Cryptobox.target_of_float` [target_of_float f] is `2 ^ (256 - f)`. 2017-01-23 14:09:51 +04:00			`let default_target = make_target 24.`
use 256 bit target for proof of work * SHA256 produces 256 bits pseudo-randomly uniformly, so you may compare to a 256 bit target to get a proof of work * If you pretend that the hash and targets are both integers between 0 and 2^256 - 1, then the target partitions the range into passing and failing segments. * In order to match the use of the `get_uint16` function from `ocplib-endian`, the easiest way to encode `target` is as a `int list` which works if not ideal * This seems like the same thing bitcoin does; difficulty there is actually not a primary notion but is calculated from a 256 bit target, which is what gets adjusted over time 2016-11-18 00:02:32 +04:00
			`let check_proof_of_work pk nonce target =`
Shell: reduce difficulty for P2P identity... ... until we properly store the nonce in the configuration file, together with the expected difficulty. 2016-11-25 21:03:57 +04:00			`let hash =`
Jbuilder: split `src/utils/` in multiple OPAM packages * `lib_stdlib`: basic extended OCaml stdlib and generic data structures * `lib_data_encoding`: almost independant 'Data_encoding' * `lib_error_monad`: almost independant 'Error_monad' * `lib_stdlib_lwt`: extended Lwt library * `lib_crypto`: all the crypto stuff (hashing, signing, cryptobox). * `lib_base`: - basic type definitions (Block_header, Operation, ...) - a module `TzPervasives` to bind them all and to be the single module opened everywhere. In the process, I splitted `Tezos_data` and `Hash` in multiple submodules, thus removing a lot of `-open`. The following two modules may not have found their place yet: - Base58 (currently in `lib_crypto`) - Cli_entries (currently in `lib_stdlib_lwt`) 2017-11-27 09:13:12 +04:00			`Blake2B.hash_bytes [`
Shell: switch to Blake2b (closes #87 #89) Also drop the dependencies on Cryptokit. 2016-11-25 22:46:50 +04:00			`Sodium.Box.Bigbytes.of_public_key pk ;`
			`Sodium.Box.Bigbytes.of_nonce nonce ;`
			`] in`
Shell: reduce difficulty for P2P identity... ... until we properly store the nonce in the configuration file, together with the expected difficulty. 2016-11-25 21:03:57 +04:00			`compare_target hash target`
use 256 bit target for proof of work * SHA256 produces 256 bits pseudo-randomly uniformly, so you may compare to a 256 bit target to get a proof of work * If you pretend that the hash and targets are both integers between 0 and 2^256 - 1, then the target partitions the range into passing and failing segments. * In order to match the use of the `get_uint16` function from `ocplib-endian`, the easiest way to encode `target` is as a `int list` which works if not ideal * This seems like the same thing bitcoin does; difficulty there is actually not a primary notion but is calculated from a 256 bit target, which is what gets adjusted over time 2016-11-18 00:02:32 +04:00
Shell: animated generation of `P2p.Identity` 2017-01-23 14:09:48 +04:00			`let generate_proof_of_work ?max pk target =`
			`let may_interupt =`
			`match max with`
			`\| None -> (fun _ -> ())`
			`\| Some max -> (fun cpt -> if max < cpt then raise Not_found) in`
			`let rec loop nonce cpt =`
			`may_interupt cpt ;`
			`if check_proof_of_work pk nonce target then`
			`nonce`
			`else`
			`loop (increment_nonce nonce) (cpt + 1) in`
			`loop (random_nonce ()) 0`
proof of work start 2016-11-09 06:18:09 +04:00
Merge remote-tracking branch 'ocp/crypto-box' 2016-11-16 04:19:13 +04:00			`let public_key_encoding =`
			`let open Data_encoding in`
Reindent all files Now `make test` fails when sources are not indented correctly, the indentation test is also executed in the CI. 2017-11-13 19:34:00 +04:00			`conv`
			`Sodium.Box.Bigbytes.of_public_key`
			`Sodium.Box.Bigbytes.to_public_key`
			`(Fixed.bytes Sodium.Box.public_key_size)`
Merge remote-tracking branch 'ocp/crypto-box' 2016-11-16 04:19:13 +04:00
			`let secret_key_encoding =`
			`let open Data_encoding in`
Reindent all files Now `make test` fails when sources are not indented correctly, the indentation test is also executed in the CI. 2017-11-13 19:34:00 +04:00			`conv`
			`Sodium.Box.Bigbytes.of_secret_key`
			`Sodium.Box.Bigbytes.to_secret_key`
			`(Fixed.bytes Sodium.Box.secret_key_size)`
Merge remote-tracking branch 'ocp/crypto-box' 2016-11-16 04:19:13 +04:00
			`let nonce_encoding =`
			`let open Data_encoding in`
Reindent all files Now `make test` fails when sources are not indented correctly, the indentation test is also executed in the CI. 2017-11-13 19:34:00 +04:00			`conv`
			`Sodium.Box.Bigbytes.of_nonce`
			`Sodium.Box.Bigbytes.to_nonce`
			`(Fixed.bytes Sodium.Box.nonce_size)`