Merge branch 'ripple/confidential-transfer' into ripple/confidential-transfer

Author: PeterChen13579

include/xrpl/protocol/ConfidentialTransfer.h

@@ -163,8 +163,49 @@ verifyClawbackEqualityProof(
 Buffer
 generateBlindingFactor();
 
+/**
+ * @brief Verifies the cryptographic link between an ElGamal Ciphertext and a
+ * Pedersen Commitment for a transaction Amount.
+ *
+ * It proves that the ElGamal ciphertext `encAmt` encrypts the same value `m`
+ * as the Pedersen Commitment `pcmSlice`, using the randomness `r`.
+ * Proves Enc(m) <-> Pcm(m)
+ *
+ * @param proof       The Zero Knowledge Proof bytes.
+ * @param encAmt      The ElGamal ciphertext of the amount (C1, C2).
+ * @param pubKeySlice The sender's public key.
+ * @param pcmSlice    The Pedersen Commitment to the amount.
+ * @param contextHash The unique context hash for this transaction.
+ * @return tesSUCCESS if the proof is valid, or an error code otherwise.
+ */
+TER
+verifyAmountPcmLinkage(
+    Slice const& proof,
+    Slice const& encAmt,
+    Slice const& pubKeySlice,
+    Slice const& pcmSlice,
+    uint256 const& contextHash);
+
+/**
+ * @brief Verifies the cryptographic link between an ElGamal Ciphertext and a
+ * Pedersen Commitment for an account Balance.
+ *
+ * It proves that the ElGamal ciphertext `encAmt` encrypts the same value `b`
+ * as the Pedersen Commitment `pcmSlice`, using the secret key `s`.
+ * Proves Enc(b) <-> Pcm(b)
+ *
+ * Note: Swaps arguments (Pk <-> C1) to accommodate the different algebraic
+ * structure.
+ *
+ * @param proof       The Zero Knowledge Proof bytes.
+ * @param encAmt      The ElGamal ciphertext of the balance (C1, C2).
+ * @param pubKeySlice The sender's public key.
+ * @param pcmSlice    The Pedersen Commitment to the balance.
+ * @param contextHash The unique context hash for this transaction.
+ * @return tesSUCCESS if the proof is valid, or an error code otherwise.
+ */
 TER
-verifyPedersenLinkage(
+verifyBalancePcmLinkage(
     Slice const& proof,
     Slice const& encAmt,
     Slice const& pubKeySlice,

include/xrpl/protocol/detail/sfields.macro

@@ -313,7 +313,8 @@ TYPED_SFIELD(sfAuditorEncryptedBalance,  VL,        42)
 TYPED_SFIELD(sfAuditorEncryptedAmount,   VL,        43)
 TYPED_SFIELD(sfAuditorElGamalPublicKey,  VL,        44)
 TYPED_SFIELD(sfBlindingFactor,           VL,        45)
-TYPED_SFIELD(sfPedersenCommitment,       VL,        46)
+TYPED_SFIELD(sfAmountCommitment,         VL,        46)
+TYPED_SFIELD(sfBalanceCommitment,        VL,        47)
 
 // account (common)
 TYPED_SFIELD(sfAccount,                  ACCOUNT,    1)

include/xrpl/protocol/detail/transactions.macro

@@ -1107,7 +1107,7 @@ TRANSACTION(ttCONFIDENTIAL_CONVERT_BACK, 87, ConfidentialConvertBack,
     {sfAuditorEncryptedAmount, soeOPTIONAL},
     {sfBlindingFactor, soeREQUIRED},
     {sfZKProof, soeREQUIRED},
-    {sfPedersenCommitment, soeREQUIRED}
+    {sfBalanceCommitment, soeREQUIRED},
 }))
 
 #if TRANSACTION_INCLUDE
@@ -1123,9 +1123,11 @@ TRANSACTION(ttCONFIDENTIAL_SEND, 88, ConfidentialSend,
     {sfSenderEncryptedAmount, soeREQUIRED},
     {sfDestinationEncryptedAmount, soeREQUIRED},
     {sfIssuerEncryptedAmount, soeREQUIRED},
+    {sfAuditorEncryptedAmount, soeOPTIONAL},
     {sfZKProof, soeREQUIRED},
+    {sfAmountCommitment, soeREQUIRED},
+    {sfBalanceCommitment, soeREQUIRED},
     {sfCredentialIDs, soeOPTIONAL},
-    {sfAuditorEncryptedAmount, soeOPTIONAL},
 }))
 
 #if TRANSACTION_INCLUDE

src/libxrpl/protocol/ConfidentialTransfer.cpp

@@ -479,7 +479,48 @@ checkEncryptedAmountFormat(STObject const& object)
 }
 
 TER
-verifyPedersenLinkage(
+verifyAmountPcmLinkage(
+    Slice const& proof,
+    Slice const& encAmt,
+    Slice const& pubKeySlice,
+    Slice const& pcmSlice,
+    uint256 const& contextHash)
+{
+    if (proof.length() != ecPedersenProofLength)
+        return tecINTERNAL;
+
+    secp256k1_pubkey c1, c2;
+    if (!makeEcPair(encAmt, c1, c2))
+        return tecINTERNAL;  // LCOV_EXCL_LINE
+
+    secp256k1_pubkey pubKey;
+    if (pubKeySlice.size() != ecPubKeyLength)
+        return tecINTERNAL;  // LCOV_EXCL_LINE
+
+    secp256k1_pubkey pcm;
+    if (pcmSlice.size() != ecPedersenCommitmentLength)
+        return tecINTERNAL;  // LCOV_EXCL_LINE
+
+    std::memcpy(pubKey.data, pubKeySlice.data(), ecPubKeyLength);
+    std::memcpy(pcm.data, pcmSlice.data(), ecPedersenCommitmentLength);
+
+    if (secp256k1_elgamal_pedersen_link_verify(
+            secp256k1Context(),
+            proof.data(),
+            &c1,
+            &c2,
+            &pubKey,
+            &pcm,
+            contextHash.data()) != 1)
+    {
+        return tecBAD_PROOF;
+    }
+
+    return tesSUCCESS;
+}
+
+TER
+verifyBalancePcmLinkage(
     Slice const& proof,
     Slice const& encAmt,
     Slice const& pubKeySlice,
@@ -493,12 +534,17 @@ verifyPedersenLinkage(
     secp256k1_pubkey c2;
 
     if (!makeEcPair(encAmt, c1, c2))
-        return tecINTERNAL;
+        return tecINTERNAL;  // LCOV_EXCL_LINE
 
     secp256k1_pubkey pubKey;
-    std::memcpy(pubKey.data, pubKeySlice.data(), ecPubKeyLength);
+    if (pubKeySlice.size() != ecPubKeyLength)
+        return tecINTERNAL;  // LCOV_EXCL_LINE
 
     secp256k1_pubkey pcm;
+    if (pcmSlice.size() != ecPedersenCommitmentLength)
+        return tecINTERNAL;  // LCOV_EXCL_LINE
+
+    std::memcpy(pubKey.data, pubKeySlice.data(), ecPubKeyLength);
     std::memcpy(pcm.data, pcmSlice.data(), ecPubKeyLength);
 
     if (secp256k1_elgamal_pedersen_link_verify(
@@ -509,7 +555,9 @@ verifyPedersenLinkage(
             &c1,
             &pcm,
             contextHash.data()) != 1)
+    {
         return tecBAD_PROOF;
+    }
 
     return tesSUCCESS;
 }