Merge branch 'master' into copilot/fix-4d7baae3-30e8-449c-9911-511e99961dd6

Author: mvadari

XLS-0025-enhanced-secret-numbers/README.md

@@ -0,0 +1,102 @@
+<pre>
+  xls: 25
+  title: Enhanced Secret Numbers
+  description: Enhances XLS-12 secret number format by introducing an additional block for encoding ancillary information, and supporingt for longer secrets.
+  author: Nik Bougalis (nikb@bougalis.net)
+  status: Final
+  category: Community
+  created: 2021-12-10
+</pre>
+
+# Enhanced Secret Numbers
+
+## Abstract
+The Secret Numbers proposal **<a href="https://github.com/XRPLF/XRPL-Standards/tree/master/XLS-12">XLS-12</a>** introduces a new format for secrets - based on blocks of numbers/digits (0-9) with block-level checksums - to generate XRP Ledger account keys and address. This draft proposes augmenting and enhancing **XLS-12** to make the format more flexible and more robust.
+
+### Motivation
+The XRP Ledger typically uses 128-bit seeds as the cryptographic material from which cryptographic keys for accounts are derived. Such seeds are generally too long for humans to remember and the existing formats are hard to <em>transcribe</em>. Prior to XLS-12, there were 4 canonical encoding for the seed data:
+
+1. A Base58-based encoding scheme beginning with the letter `s` (in this format, the result is often, but _incorrectly_, referred to as a private key); or
+2. A word-based "mnemonic", encoded using a variant of RFC 1751; or
+3. A raw hex string, directly representing the 128-bit seed; or
+3. A passphrase, an arbitrary string of words which is hashed to produce a seed.
+
+By way of example, let's use the well-known [genesis account](https://xrpl.org/accounts.html#special-addresses), `rHb9CJAWyB4rj91VRWn96DkukG4bwdtyTh`, which has an associated **`secp256k`** key:
+
+1. The seed for the account is `snoPBrXtMeMyMHUVTgbuqAfg1SUTb`;
+2. The mnemonic is `I IRE BOND BOW TRIO LAID SEAT GOAL HEN IBIS IBIS DARE`;
+3. The raw hex is `DEDCE9CE67B451D852FD4E846FCDE31C`; and
+3. The corresponding passphrase is `masterpassphrase`.
+
+The **XLS-12** standard introduced a new format, secret mumbers, which consists of 8 blocks of 6 digits, where the first five digits correspoding to a 16-bit number (from 0 to 65535) and the 6th digit is a checksum based on the five preceding digits and the index of the block. The **XLS-12** secret numbers for the genesis account are: `570521-598543-265488-209520-212450-201006-286214-581400`.
+
+### Issues with XLS-12
+
+The **XLS-12** specification, while convenient and easier to transcribe, has several drawbacks:
+
+First, it encodes no ancillary information about the information encoded (e.g. whether it is meant to derive a **secp256k1** or an **Ed25519** key) and is limited to only encoding seeds, from which keys are then derived. Second, the block-level checksum is inefficient and detects only a small percentage of errors.
+
+Lastly, it's unclear whether the secret numbers should be used to create a **secp256k1** or an **Ed25519** key. For example, given the above `570521-598543-265488-209520-212450-201006-286214-581400` secret numbers, an implementation could derive an **Ed25519** and, therefore, an account that is not the well-known genesis account. Tools that support secret numbers typically resort to detecting the type of account, usually in a semi- automated fashion, but on occasion by resorting to asking the user to confirm their intended public address.
+
+### Enhancements to XLS-12
+
+This proposal aims to address these problems by proposing extensions to **XLS-12** which retaining backwards compatibility. There are three primary changes:
+
+1. Using a simplified but more powerful per-block checksum;
+2. Introducing an additional block, which is used to encode ancillary information; and
+3. Support for longer blocks, allowing encoding of 128-bit and 256-bit secrets.
+
+Secret numbers compatible with this specification will always be composed of an odd number of blocks; secret numbers compatible with the **XLS-12** specification will always be composed of an even number of blocks&mdash;or more specifically, precisely 8 blocks. This makes it possible to seamlessly detect which standard was used and allows for backwards compatibility.
+
+#### Per-block checksusm
+
+Under **XLS-12** the Nth block consists of 16 bits of raw key material, and an additional checksum digit. Assuming the keying material has value `X` the N<sub>th</sub> block would be: `(X * 10) + ((X * (N * 2 + 1)) % 9)`. 
+
+In theory, the checksum digit can take any value from [0,...,9] but, by construction, not all checksum digits are equally likely across all blocks, reducing their usefulness. For blocks at positions 2 and 8, the only valid checksum digits are `0`, `3` and `6`; blocks at position 5 are worse, with `0` being the _only_ valid checksum digit.
+
+This proposal simplifies the checksum function for key blocks by reducing it to a simple multiplication by 13, a prime number. That is, the N<sub>th</sub> key block simply becomes: `X * 13`. Under this scheme, the possible values are multiple of 13 and and the range is from [0,...,851955]. This scheme avoids the position-dependent behavior observed with the existing scheme and allows for more efficient error detection.
+
+#### Information Block
+
+This proposal _prepends_ an additional 6-digit block, composed of two 16-bit values, that encodes ancillary information about the content and a checksum of the blocks that can be used to detect whole-block transposition, or incorrect blocks.
+
+First, calculate the checksum of all blocks as `(∑(𝑥[i] * π[i]>)) mod 256`, where `𝑥[i]` is the i<sup>th</sup> 16-bit block of data being encoded and `π[i]` is the i<sup>th</sup> prime number. The result is an 8-bit value, `C`.
+
+##### Flags
+The proposal also defines an 8-bit field, that can be used to specify details or ancillary information about the key. This proposal defines this as a bitfield named `F`. The following flags are defined:
+
+|Value | Meaning                                                                                                                             |
+|------|----------------------------------------------------------------------------------------------------------------------------|
+| `0x01` |The data block represents a raw 128-bit _seed_, from which private keys can be derived using the derivation algorithm defined in `rippled`.    |
+| `0x02` |The private key calculated or derived from this block of data is used with the **secp256k1** algorithm.       |
+| `0x04` |The private key calculated or derived from this block of data is used with the **Ed25519** algorithm.   |
+| `0x08` |The data block represents an **Ed25519** validator master key. This flag cannot be combined with any other flags.   |
+| `0x10` |The data block represents the fulfillment of a `PREIMAGE-SHA256` cryptocondition. This flag cannot be combined with any other flags. |
+
+##### Using Flags
+
+The different flags used with extended keys make it possible to directly encode different types of keys as well as allow for 128-bit and 256-bit keys.
+
+For example:
+
+- A 256-bit **`secp256k`** (or **`Ed25519`**, if the `0x08` flag is included) key can be directly encoded as 17 groups, if they information block does not include the `0x01` flag.
+- A 256-bit preimage for a cryptocondition can be encoded as 17 groups, if the information block includes the `0x10` flag.
+
+Other flags may be added in the future. A compliant implementation of this proposal _SHOULD_ fail if any flags other than the ones it understands are used.
+
+
+##### Information Block Checksum
+
+By construction, no valid XLS12 block can have a value greater than 655356 (i.e. 65535 * 10 + (65535 % 9)). This means that any block that begins with a 7, 8 or 9 cannot be a valid XLS12 block. This means that we can construct the first block in such a way so as to allow for automatic detection of "classic" XLS-12 keys and "extended" keys as defined in this proposal.
+
+Again, assume that C is the checksum described above and F is the flag bitfield, then the information block checksum `X` is defined as:
+
+    X = (F ^ C) % 3
+
+The information block itself is then calculated as:
+
+    A = ((X + 7) * 100000) + (C * 256 + F)
+
+The end result is an A block that begins with 7, 8 or 9, which means it cannot be a valid XLS12 block, while still retaining a checksum in the A block.
+
+

XLS-0041-xpop/README.md

@@ -0,0 +1,130 @@
+<pre>
+    xls: 41
+    title: XRPL Proof of Payment Standard (XPOP)
+    author: Richard Holland (RichardAH)
+	description: An offline non-interactive cryptographic proof that a transaction was successfully submitted to the XRP Ledger and what its impact (metadata) was
+    created: 2023-05-04
+    status: Final
+    category: Community
+</pre>
+# XLS-41d
+
+# Abstract
+
+An XRPL Proof of Payment (XPOP) is an offline non-interactive cryptographic proof that a transaction was successfully submitted to the XRP Ledger and what its impact (metadata) was.
+
+# Background
+
+The XRPL is comprised of a chain of blocks (Ledgers) co-operatively and deterministically computed, shared and subsequently signed (validated) by a quorum of rippled nodes (validators) operating in a socially trusted group known as a Unique Node List (UNL). The UNL is typically published by a trusted third party in a format known as a Validator List (VL). (Examples: https://vl.xrplf.com, https://vl.ripple.com). Each VL is cryptographically signed by a master publishing key. Users of the network ultimately trust this publisher (key) to choose appropriate validators for the UNL that will co-operate to make forward progress and not conspire to defraud them.
+
+# Proof
+
+Each VL contains a list of validators signed for by the VL publisher key.
+
+Each validator is a key that signs validation messages over each Ledger header.
+
+Each Ledger header contains the root hash of two patricia merkle tries:
+
+- the current (”account”) state for the ledger, and
+- the transactions and their metadata in that Ledger.
+
+A quorum (from a given VL) of signed validation messages proves a Ledger was correctly closed and became part of the block chain.
+
+Thus if one trusts the VL publisher key, then one can form a complete chain of validation from the VL key down to a transaction and its meta data without connectivity to the internet. This is an XPOP.
+
+# Format
+
+XPOPs are a JSON object with the following schema:
+
+```
+{
+	"ledger": {
+		"acroot": merkle root of account state map | hex string,
+		"txroot": merkle root of transaction map | hex string ,
+		"close": close time | int,
+		"coins": total drops | int or string,
+		"cres": close time resolution | int,
+		"flags": ledger flags | int,
+		"pclose": parent close time | int,
+		"phash": parent hash | hex string,
+	},
+	"transaction": {
+		"blob": serialized transaction | hex string,
+		"meta": serialized metadata | hex string,
+		"proof": <see below>
+	},
+	"validation": {
+		"data": {
+			validator pub key or master key | base58 string : serialized validation message | hex string
+			... for each validation message
+		},
+		"unl": {
+			"blob": base64 encoded VL blob as appearing on vl site | base64 string,
+			... remaining fields from vl site
+		}
+	}
+}
+```
+
+The `proof` key inside `transaction` section has one of two possible forms:
+
+1. List form:
+    
+    In this form the merkle proof is a list of lists (and strings) containing the minimum number of entries to form the merkle proof. Each list contains 16 entries (branches `0` through `F`). For each branch either the the root hash of that branch is provided as a 64 hex nibble string, or a further list of 16 entries is provided, until the transaction that the proof proves is reached. If a list contains fewer than 16 entries then the verifier should infer that the remaining entries are all null entries (hash strings that are sequences of 0s).
+    
+
+```
+# list form
+"proof": [
+	hex string for branch '0',
+	...
+        hex string for branch 'A',
+	# branch 'B' is a list
+	[ 
+			hex string for branch 'B0',
+			... ,
+			hex string for branch 'BE',
+			# branch 'BF' is a list
+			[
+				hex string for branch 'BF0',
+				...
+			]
+	],
+	hex string for branch 'C',
+	...
+]
+
+```
+
+1. Tree form:
+    
+    In this form the merkle proof is an object of objects containing the entire transaction map for the ledger. This form is useful if many XPOPs must be generated for the same ledger and the size of each individual XPOP is less relevant than the amount of work to make and store the XPOPs. Each object contains three keys: `children`, `hash`, `key`.
+    
+    - The `children` key is always either an empty object or is keyed with only the branches which actually exist there, each as a single hex nibble `0` - `F`.
+    - The `hash` key is always a 64 nibble hex string: either the hash over the children (with appropriate namespace) or, if a leaf node, the hash over the node (with appropriate namespace).
+    - The `key` key is always a 64 nibble hex string: the keylet (index) of the object at this location.
+    
+    ```
+    # tree form
+    "proof": {
+      "hash" : hex string,
+      "key" : hex string,
+    	"children" : {
+    		"0":
+    		{
+    			"children": {},
+    			"hash": hex string,
+    			"key": hex string
+    		},
+    		...
+    		"F":
+    		{ ...}
+    	}
+    }
+    ```
+    
+# Verifying
+
+See reference implementation at: [xpop-verifier-py](https://github.com/RichardAH/xpop-verifier-py/blob/main/verify.py)
+
+