ecdh_omr/

blinding.rs

// SPDX-FileCopyrightText: 2024-2026 eaon <eaon@posteo.net>
// SPDX-License-Identifier: EUPL-1.2

#[cfg(feature = "rustcrypto-ec")]
use std::ops::Add;

#[cfg(feature = "dalek-ristretto255")]
use curve25519_dalek::traits::Identity;
#[cfg(feature = "rustcrypto-ec")]
use elliptic_curve::{
    AffinePoint, Curve, CurveArithmetic, Generate, ProjectivePoint,
    point::PointCompression,
    sec1::{CompressedPoint, CompressedPointSize, FromSec1Point, ModulusSize, ToSec1Point},
};
use hybrid_array::Array;
#[cfg(feature = "rustcrypto-ec")]
use hybrid_array::ArraySize;
use rand_core::CryptoRng;
use typenum::Sum;
#[cfg(feature = "rustcrypto-ec")]
use typenum::Unsigned;

#[cfg(feature = "dalek-x25519")]
use crate::DalekX25519;
#[cfg(feature = "rustcrypto-ec")]
use crate::EllipticCurve;
#[cfg(feature = "dalek-ristretto255")]
use crate::{DalekRistretto255, dalek_ristretto255};
use crate::{KeyPair, error::*};

type BlindedPublicKeySize<C> = Sum<<C as KeyPair>::PublicKeySize, <C as KeyPair>::PublicKeySize>;

/// An ECDH public key that has been blinded, enabling a third party to send a message without
/// knowing the cryptographic identity of the recipient.
#[derive(Debug, Clone)]
pub struct BlindedPublicKey<K: KeyPair> {
    /// The blinded public key that can be used to perform a normal Diffie-Hellman key agreement.
    pub(crate) inner: K::PublicKey,
    /// Blinding factor used to create the blinded public key.
    ///
    /// Carrying this piece of information is necessary because we want a third party to be able to
    /// share a secret of its choosing with the party controlling the secret key of the blinded
    /// public key.
    pub(crate) blinding_factor: K::PublicKey,
}

/// Blind a public key.
pub trait Blind<K: KeyPair> {
    /// Blind a public key with the supplied RNG.
    fn blind(&self, csprng: &mut impl CryptoRng) -> BlindedPublicKey<K>;
}

/// (De)serialization for [`BlindedPublicKey`].
///
/// # Security
///
/// Implementers **must** validate deserialized public keys in [`from_bytes`](Self::from_bytes).
/// Small-order and identity points must be rejected with [`Error::InvalidPoint`].
/// Failure to validate can lead to key recovery or other cryptographic attacks.
pub trait Blinded: Sized {
    /// A bytes array type with the size of the serialized [`BlindedPublicKey`].
    type BytesArray;
    /// Parse a [`BlindedPublicKey`] from a `BytesArray`.
    ///
    /// # Security
    ///
    /// Implementers **must** validate deserialized blinded public key as well as its blinding
    /// factor and reject small-order and identity points with [`Error::InvalidPoint`].
    fn from_bytes(bytes: &Self::BytesArray) -> Result<Self>;
    /// Serialize [`BlindedPublicKey`] to a `BytesArray`.
    fn to_bytes(&self) -> Self::BytesArray;
}

impl<'a, K: KeyPair> TryFrom<&'a [u8]> for BlindedPublicKey<K>
where
    Self: Blinded,
    <Self as Blinded>::BytesArray: TryFrom<&'a [u8]>,
{
    type Error = Error;

    fn try_from(bytes: &'a [u8]) -> Result<Self> {
        Self::from_bytes(
            &<Self as Blinded>::BytesArray::try_from(bytes).map_err(|_| Error::Decoding)?,
        )
    }
}

#[cfg(feature = "dalek-ristretto255")]
pub(crate) fn checked_decompress_ristretto255_public_key(
    bytes: [u8; 32],
) -> Result<dalek_ristretto255::PublicKey> {
    let decompressed = curve25519_dalek::ristretto::CompressedRistretto(bytes)
        .decompress()
        .ok_or(Error::Decoding)?;

    (decompressed != curve25519_dalek::ristretto::RistrettoPoint::identity())
        .then_some(dalek_ristretto255::PublicKey(decompressed))
        .ok_or(Error::InvalidPoint)
}

#[cfg(feature = "dalek-x25519")]
pub(crate) fn checked_x25519_public_key(bytes: [u8; 32]) -> Result<x25519_dalek::PublicKey> {
    // Sign choice irrelevant for small-order check
    curve25519_dalek::montgomery::MontgomeryPoint(bytes)
        .to_edwards(0)
        .filter(|point| !point.is_small_order())
        .map(|_| x25519_dalek::PublicKey::from(bytes))
        .ok_or(Error::InvalidPoint)
}

#[cfg(any(feature = "dalek-ristretto255", feature = "dalek-x25519"))]
macro_rules! dalek_blinding {
    (
        $random_blind_fn:ident,
        $blind_fn:ident,
        (
            $curve:ty,
            $public:ty,
            $secret:ty,
            $public_from_secret:expr,
            $shared_secret_to_public:expr,
            $checked_public_key:expr,
            $public_to_bytes:expr $(,)?
        ) $(,)?
    ) => {
        pub(crate) fn $random_blind_fn(
            public_key: &$public,
            csprng: &mut impl CryptoRng,
        ) -> ($public, $secret) {
            let blinding_factor_secret = <$secret>::random_from_rng(csprng);
            let blinded_public_key = $blind_fn(public_key, &blinding_factor_secret);

            (blinded_public_key, blinding_factor_secret)
        }

        pub(crate) fn $blind_fn(public_key: &$public, blinding_factor_secret: &$secret) -> $public {
            let blinded_shared_secret = blinding_factor_secret.diffie_hellman(public_key);

            $shared_secret_to_public(blinded_shared_secret)
        }

        impl Blind<$curve> for $public {
            fn blind(&self, csprng: &mut impl CryptoRng) -> BlindedPublicKey<$curve> {
                let (inner, blinding_factor_secret) = $random_blind_fn(self, csprng);

                BlindedPublicKey {
                    inner,
                    blinding_factor: $public_from_secret(&blinding_factor_secret),
                }
            }
        }

        impl Blinded for BlindedPublicKey<$curve> {
            type BytesArray = Array<u8, BlindedPublicKeySize<$curve>>;

            fn from_bytes(bytes: &Self::BytesArray) -> Result<Self> {
                let (inner_bytes, blinding_factor_bytes) =
                    bytes.split::<<$curve as KeyPair>::PublicKeySize>();
                let inner = $checked_public_key(inner_bytes.into())?;
                let blinding_factor = $checked_public_key(blinding_factor_bytes.into())?;

                Ok(Self {
                    inner,
                    blinding_factor,
                })
            }

            fn to_bytes(&self) -> Self::BytesArray {
                $public_to_bytes(&self.inner)
                    .into_iter()
                    .chain($public_to_bytes(&self.blinding_factor))
                    .collect()
            }
        }
    };
}

#[cfg(feature = "dalek-ristretto255")]
dalek_blinding!(
    random_blind_dalek_ristretto255,
    blind_dalek_ristretto255,
    (
        DalekRistretto255,
        dalek_ristretto255::PublicKey,
        dalek_ristretto255::StaticSecret,
        dalek_ristretto255::PublicKey::from,
        |secret: dalek_ristretto255::SharedSecret| dalek_ristretto255::PublicKey(secret.0),
        checked_decompress_ristretto255_public_key,
        |public: &dalek_ristretto255::PublicKey| public.to_bytes(),
    ),
);

#[cfg(feature = "dalek-x25519")]
dalek_blinding!(
    random_blind_dalek_x25519,
    blind_dalek_x25519,
    (
        DalekX25519,
        x25519_dalek::PublicKey,
        x25519_dalek::StaticSecret,
        x25519_dalek::PublicKey::from,
        |secret: x25519_dalek::SharedSecret| x25519_dalek::PublicKey::from(*secret.as_bytes()),
        checked_x25519_public_key,
        |public: &x25519_dalek::PublicKey| *public.as_bytes(),
    ),
);

#[cfg(feature = "rustcrypto-ec")]
fn diffie_hellman_affine<C: CurveArithmetic>(
    secret_key: &elliptic_curve::SecretKey<C>,
    public_key: &elliptic_curve::PublicKey<C>,
) -> AffinePoint<C> {
    use elliptic_curve::group::Curve;

    let public_point = ProjectivePoint::<C>::from(*public_key.as_affine());

    (public_point * secret_key.to_nonzero_scalar().as_ref()).to_affine()
}

#[cfg(feature = "rustcrypto-ec")]
pub(crate) fn random_blind_rcec<C: CurveArithmetic>(
    public_key: &elliptic_curve::PublicKey<C>,
    csprng: &mut impl CryptoRng,
) -> (elliptic_curve::PublicKey<C>, elliptic_curve::SecretKey<C>) {
    let blinding_factor_secret = elliptic_curve::SecretKey::<C>::generate_from_rng(csprng);
    let blinded_public_key = blind_rcec(public_key, &blinding_factor_secret);

    (blinded_public_key, blinding_factor_secret)
}

#[cfg(feature = "rustcrypto-ec")]
pub(crate) fn blind_rcec<C: CurveArithmetic>(
    public_key: &elliptic_curve::PublicKey<C>,
    blinding_factor_secret: &elliptic_curve::SecretKey<C>,
) -> elliptic_curve::PublicKey<C> {
    let blinded_shared_secret = diffie_hellman_affine(blinding_factor_secret, public_key);

    // SAFETY: Blinded shared secret is never an identity point
    #[allow(unsafe_code)]
    unsafe {
        elliptic_curve::PublicKey::<C>::from_affine(blinded_shared_secret).unwrap_unchecked()
    }
}

#[cfg(feature = "rustcrypto-ec")]
impl<C: CurveArithmetic> Blind<EllipticCurve<C>> for elliptic_curve::PublicKey<C>
where
    <C as Curve>::FieldBytesSize: ModulusSize,
{
    fn blind(&self, csprng: &mut impl CryptoRng) -> BlindedPublicKey<EllipticCurve<C>> {
        let (inner, blinding_factor_secret) = random_blind_rcec(self, csprng);

        BlindedPublicKey {
            inner,
            blinding_factor: blinding_factor_secret.public_key(),
        }
    }
}

#[cfg(feature = "rustcrypto-ec")]
impl<C: CurveArithmetic + PointCompression> Blinded for BlindedPublicKey<EllipticCurve<C>>
where
    <C as Curve>::FieldBytesSize: ModulusSize,
    <C as CurveArithmetic>::AffinePoint: ToSec1Point<C> + FromSec1Point<C>,
    CompressedPointSize<C>: Add<CompressedPointSize<C>> + ArraySize,
    Sum<CompressedPointSize<C>, CompressedPointSize<C>>: ArraySize,
{
    type BytesArray = Array<u8, BlindedPublicKeySize<EllipticCurve<C>>>;

    fn from_bytes(bytes: &Self::BytesArray) -> Result<Self> {
        // from_sec1_bytes also rejects identity points, but we can't distinguish between
        // decoding errors and invalid points from the provided error
        let public_size = CompressedPointSize::<C>::USIZE;
        let from_bytes = elliptic_curve::PublicKey::<C>::from_sec1_bytes;

        Ok(Self {
            inner: from_bytes(&bytes[..public_size]).map_err(|_| Error::Decoding)?,
            blinding_factor: from_bytes(&bytes[public_size..]).map_err(|_| Error::Decoding)?,
        })
    }

    fn to_bytes(&self) -> Self::BytesArray {
        CompressedPoint::<C>::from(&self.inner)
            .into_iter()
            .chain(CompressedPoint::<C>::from(&self.blinding_factor))
            .collect()
    }
}