port pedersen commitment

Author: Patel-Raj11

xrpl4j-core/src/main/java/org/xrpl/xrpl4j/crypto/mpt/mpt-crypto/tests/CMakeLists.txt

@@ -51,3 +51,5 @@ add_mpt_test(test_elgamal_decrypt_vectors test_elgamal_decrypt_vectors.c mpt-cry
 add_mpt_test(test_pok_sk_vectors test_pok_sk_vectors.c mpt-crypto secp256k1 OpenSSL::Crypto)
 
 add_mpt_test(test_same_plaintext_multi_vectors test_same_plaintext_multi_vectors.c mpt-crypto secp256k1 OpenSSL::Crypto)
+
+add_mpt_test(test_pedersen_vectors test_pedersen_vectors.c mpt-crypto secp256k1 OpenSSL::Crypto)

xrpl4j-core/src/main/java/org/xrpl/xrpl4j/crypto/mpt/mpt-crypto/tests/test_pedersen_vectors.c

@@ -0,0 +1,96 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <secp256k1.h>
+#include "secp256k1_mpt.h"
+#include "test_utils.h"
+
+/* Fixed blinding factors for deterministic test vectors */
+static const unsigned char FIXED_NONCES[10][32] = {
+    {0x03, 0x67, 0xE5, 0xC8, 0x4F, 0x43, 0x71, 0x4E, 0x13, 0xE3, 0x4E, 0xD2, 0x12, 0xF9, 0x25, 0xB3,
+     0x75, 0xCD, 0x86, 0x3C, 0xAE, 0x46, 0xEF, 0xE3, 0xD1, 0x05, 0x65, 0x92, 0xC2, 0x55, 0x9D, 0xDA},
+    {0xA2, 0x68, 0xEE, 0x37, 0xE2, 0x3C, 0x65, 0x6D, 0x05, 0xF4, 0x82, 0x03, 0xFA, 0x23, 0x8D, 0x41,
+     0x92, 0x4C, 0x64, 0x57, 0x6E, 0x7F, 0x13, 0xA6, 0xD7, 0x29, 0x4D, 0x22, 0xCE, 0x5E, 0x24, 0x49},
+    {0x6B, 0x51, 0xA9, 0xD4, 0xD9, 0xEA, 0xD9, 0xBE, 0x6C, 0x64, 0x0D, 0x37, 0x42, 0xC3, 0x29, 0x63,
+     0x0C, 0xFB, 0xC0, 0x1A, 0x2D, 0x6A, 0x6D, 0xF1, 0x2D, 0x32, 0xCF, 0x60, 0x7E, 0xAD, 0xAC, 0x18},
+    {0x3F, 0x98, 0x46, 0x20, 0xB0, 0x14, 0xF5, 0xE5, 0x7F, 0xFE, 0x80, 0x92, 0x4C, 0x08, 0x95, 0x26,
+     0xAD, 0xE9, 0x3B, 0x87, 0xE0, 0x80, 0xDD, 0x2C, 0x39, 0xC5, 0xB7, 0xEB, 0xD1, 0xE1, 0xDC, 0x9F},
+    {0x41, 0xC3, 0x04, 0xBE, 0x98, 0xE5, 0xEB, 0x03, 0x08, 0xF4, 0xC6, 0x21, 0xFE, 0x52, 0xA3, 0xEF,
+     0x0E, 0x1C, 0xAE, 0x4E, 0xFC, 0xEB, 0xAC, 0x7E, 0x0F, 0xB6, 0x62, 0x75, 0xEA, 0x08, 0x3E, 0x87},
+    {0x99, 0x55, 0xB9, 0x26, 0xFA, 0xA3, 0xEA, 0x9A, 0x07, 0x74, 0x6C, 0xA5, 0xC0, 0x12, 0xF2, 0xDD,
+     0x10, 0xD4, 0x4C, 0xF7, 0x32, 0x17, 0x74, 0x6E, 0x5B, 0x37, 0x16, 0x3B, 0xA9, 0xCC, 0xA6, 0x2D},
+    {0xFF, 0x2F, 0xC7, 0x43, 0xE0, 0x21, 0xC6, 0xA5, 0x20, 0x6E, 0x3E, 0x3E, 0x5A, 0x5C, 0xFA, 0x0C,
+     0xE5, 0x42, 0x48, 0x2F, 0xF0, 0x21, 0x3A, 0x83, 0xD3, 0x57, 0xD1, 0xF0, 0xC2, 0x0C, 0xE8, 0xB7},
+    {0x72, 0x0B, 0xF9, 0xF6, 0x37, 0x76, 0x70, 0xE0, 0x00, 0x11, 0xC9, 0x01, 0x52, 0x6A, 0x40, 0x5C,
+     0xC7, 0x07, 0xBC, 0x92, 0x18, 0xB0, 0xE4, 0x40, 0x2E, 0x0E, 0x18, 0x21, 0x0F, 0x95, 0x3E, 0x54},
+    {0x6F, 0xEA, 0x36, 0xEA, 0xD5, 0x9A, 0x20, 0xD9, 0xBE, 0x21, 0x57, 0x30, 0xB8, 0xD2, 0x99, 0x5B,
+     0x67, 0x11, 0x27, 0x21, 0xB6, 0x7E, 0x1E, 0x14, 0xE3, 0xAF, 0xA8, 0x09, 0xE8, 0x3B, 0x28, 0x58},
+    {0x1C, 0x7D, 0x65, 0x5F, 0x23, 0x2B, 0x29, 0x4A, 0x87, 0xBB, 0xC6, 0x37, 0x53, 0xDA, 0x3B, 0xD6,
+     0xE6, 0xB4, 0xB7, 0x16, 0xF8, 0xD5, 0x5A, 0xF4, 0x5D, 0x9F, 0xF3, 0xEE, 0x11, 0xD0, 0xC8, 0xAA}
+};
+
+/* Test amounts - various values including 0, small, large */
+static const uint64_t TEST_AMOUNTS[10] = {
+    0,                      /* Zero amount */
+    1,                      /* Minimum non-zero */
+    100,                    /* Small amount */
+    555666,                 /* Medium amount */
+    1000000,                /* One million */
+    0xFFFFFFFF,             /* Max 32-bit */
+    0x100000000ULL,         /* 2^32 */
+    0x7FFFFFFFFFFFFFFFULL,  /* Max signed 64-bit */
+    12345678901234567ULL,   /* Large arbitrary */
+    9999999999999ULL        /* Another large value */
+};
+
+static void print_hex_json(const unsigned char* data, size_t len) {
+    for (size_t i = 0; i < len; i++) {
+        printf("%02X", data[i]);
+    }
+}
+
+static void generate_test_vector_json(const secp256k1_context* ctx, int index, int is_last) {
+    uint64_t amount = TEST_AMOUNTS[index];
+    const unsigned char* rho = FIXED_NONCES[index];
+    secp256k1_pubkey commitment;
+    unsigned char commitment_ser[33];
+    size_t len = 33;
+
+    /* Generate commitment */
+    int result = secp256k1_mpt_pedersen_commit(ctx, &commitment, amount, rho);
+    EXPECT(result == 1);
+
+    /* Serialize commitment */
+    EXPECT(secp256k1_ec_pubkey_serialize(ctx, commitment_ser, &len, &commitment, SECP256K1_EC_COMPRESSED) == 1);
+
+    /* Output JSON */
+    printf("    {\n");
+    printf("      \"amount\": %llu,\n", (unsigned long long)amount);
+    printf("      \"rho\": \""); print_hex_json(rho, 32); printf("\",\n");
+    printf("      \"expectedCommitment\": \""); print_hex_json(commitment_ser, 33); printf("\"\n");
+    printf("    }%s\n", is_last ? "" : ",");
+}
+
+int main() {
+    secp256k1_context* ctx = secp256k1_context_create(
+            SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
+    EXPECT(ctx != NULL);
+
+    /* Output JSON header */
+    printf("{\n");
+    printf("  \"description\": \"Pedersen commitment test vectors from C implementation\",\n");
+    printf("  \"vectors\": [\n");
+
+    /* Generate 10 test vectors */
+    for (int i = 0; i < 10; i++) {
+        generate_test_vector_json(ctx, i, i == 9);
+    }
+
+    /* Close JSON */
+    printf("  ]\n");
+    printf("}\n");
+
+    secp256k1_context_destroy(ctx);
+    return 0;
+}
+

xrpl4j-core/src/main/java/org/xrpl/xrpl4j/crypto/mpt/port/PedersenCommitmentPort.java

@@ -0,0 +1,52 @@
+package org.xrpl.xrpl4j.crypto.mpt.port;
+
+/*-
+ * ========================LICENSE_START=================================
+ * xrpl4j :: core
+ * %%
+ * Copyright (C) 2020 - 2023 XRPL Foundation and its contributors
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * =========================LICENSE_END==================================
+ */
+
+import com.google.common.primitives.UnsignedLong;
+import org.xrpl.xrpl4j.codec.addresses.UnsignedByteArray;
+
+/**
+ * Port of {@code secp256k1_mpt_pedersen_commit} from commitments.c.
+ *
+ * <p>Creates a Pedersen Commitment: C = amount * G + rho * H, where G is the standard
+ * secp256k1 generator and H is a NUMS (Nothing-Up-My-Sleeve) generator derived using
+ * hash-to-curve.</p>
+ *
+ * <p>The commitment is returned as a 33-byte compressed point.</p>
+ */
+public interface PedersenCommitmentPort {
+
+  /**
+   * Generates a Pedersen Commitment for the given amount and blinding factor.
+   *
+   * <p>Handles the edge case where amount = 0, in which case C = rho * H.</p>
+   *
+   * @param amount The value to commit to (64-bit unsigned).
+   * @param rho    The blinding factor (32 bytes, must be a valid scalar).
+   *
+   * @return A 33-byte compressed point representing the commitment.
+   *
+   * @throws IllegalArgumentException if rho is not a valid scalar.
+   * @throws IllegalStateException    if commitment generation fails.
+   */
+  UnsignedByteArray generateCommitment(UnsignedLong amount, UnsignedByteArray rho);
+}
+

xrpl4j-core/src/main/java/org/xrpl/xrpl4j/crypto/mpt/port/bc/BcPedersenCommitmentPort.java

@@ -0,0 +1,181 @@
+package org.xrpl.xrpl4j.crypto.mpt.port.bc;
+
+/*-
+ * ========================LICENSE_START=================================
+ * xrpl4j :: core
+ * %%
+ * Copyright (C) 2020 - 2023 XRPL Foundation and its contributors
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * =========================LICENSE_END==================================
+ */
+
+import com.google.common.primitives.UnsignedLong;
+import org.bouncycastle.math.ec.ECPoint;
+import org.xrpl.xrpl4j.codec.addresses.ByteUtils;
+import org.xrpl.xrpl4j.codec.addresses.UnsignedByteArray;
+import org.xrpl.xrpl4j.crypto.HashingUtils;
+import org.xrpl.xrpl4j.crypto.mpt.Secp256k1Operations;
+import org.xrpl.xrpl4j.crypto.mpt.port.PedersenCommitmentPort;
+
+import java.math.BigInteger;
+import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
+
+/**
+ * BouncyCastle implementation of {@link PedersenCommitmentPort}.
+ *
+ * <p>Port of {@code secp256k1_mpt_pedersen_commit} from commitments.c.</p>
+ */
+public class BcPedersenCommitmentPort implements PedersenCommitmentPort {
+
+  private static final String DOMAIN_SEPARATOR = "MPT_BULLETPROOF_V1_NUMS";
+  private static final String CURVE_LABEL = "secp256k1";
+
+  /**
+   * Cached H generator point (lazily initialized).
+   */
+  private ECPoint cachedH;
+
+  @Override
+  public UnsignedByteArray generateCommitment(UnsignedLong amount, UnsignedByteArray rho) {
+    // 0. Input Check - matches: if (!secp256k1_ec_seckey_verify(ctx, rho)) return 0;
+    if (!Secp256k1Operations.isValidScalar(rho.toByteArray())) {
+      throw new IllegalArgumentException("rho is not a valid scalar");
+    }
+
+    byte[] mScalar = new byte[32];
+
+    try {
+      // 1. Calculate rho*H (Blinding Term)
+      // matches: if (!secp256k1_mpt_get_h_generator(ctx, &H)) return 0;
+      ECPoint H = getHGenerator();
+
+      // matches: rH = H; if (!secp256k1_ec_pubkey_tweak_mul(ctx, &rH, rho)) return 0;
+      BigInteger rhoInt = new BigInteger(1, rho.toByteArray());
+      ECPoint rH = Secp256k1Operations.multiply(H, rhoInt);
+
+      if (rH.isInfinity()) {
+        throw new IllegalStateException("rH is point at infinity");
+      }
+
+      // 2. Handle Zero Amount Case
+      // matches: if (amount == 0) { *commitment = rH; return 1; }
+      if (amount.equals(UnsignedLong.ZERO)) {
+        return UnsignedByteArray.of(Secp256k1Operations.serializeCompressed(rH));
+      }
+
+      // 3. Calculate m*G (Value Term)
+      // matches: for (int i = 0; i < 8; i++) { m_scalar[31 - i] = (amount >> (i * 8)) & 0xFF; }
+      long amountValue = amount.longValue();
+      for (int i = 0; i < 8; i++) {
+        mScalar[31 - i] = (byte) ((amountValue >> (i * 8)) & 0xFF);
+      }
+
+      // matches: if (!secp256k1_ec_pubkey_create(ctx, &mG, m_scalar)) goto cleanup;
+      BigInteger mInt = new BigInteger(1, mScalar);
+      ECPoint mG = Secp256k1Operations.multiplyG(mInt);
+
+      if (mG.isInfinity()) {
+        throw new IllegalStateException("mG is point at infinity");
+      }
+
+      // 4. Combine: C = mG + rH
+      // matches: if (!secp256k1_ec_pubkey_combine(ctx, commitment, points, 2)) goto cleanup;
+      ECPoint commitment = Secp256k1Operations.add(mG, rH);
+
+      if (commitment.isInfinity()) {
+        throw new IllegalStateException("commitment is point at infinity");
+      }
+
+      return UnsignedByteArray.of(Secp256k1Operations.serializeCompressed(commitment));
+
+    } finally {
+      // matches: OPENSSL_cleanse(m_scalar, 32);
+      Arrays.fill(mScalar, (byte) 0);
+    }
+  }
+
+  /**
+   * Gets the H generator point for Pedersen commitments.
+   *
+   * <p>Port of {@code secp256k1_mpt_get_h_generator} which derives a NUMS point
+   * using the label "H" at index 0.</p>
+   *
+   * @return The H generator point.
+   */
+  private ECPoint getHGenerator() {
+    if (cachedH == null) {
+      cachedH = hashToPointNums("H".getBytes(StandardCharsets.UTF_8), 0);
+    }
+    return cachedH;
+  }
+
+  /**
+   * Deterministically derives a NUMS (Nothing-Up-My-Sleeve) generator point.
+   *
+   * <p>Port of {@code secp256k1_mpt_hash_to_point_nums} from commitments.c.</p>
+   *
+   * @param label The domain/vector label (e.g., "H").
+   * @param index The vector index.
+   *
+   * @return The derived generator point.
+   */
+  private ECPoint hashToPointNums(byte[] label, int index) {
+    byte[] domainBytes = DOMAIN_SEPARATOR.getBytes(StandardCharsets.UTF_8);
+    byte[] curveBytes = CURVE_LABEL.getBytes(StandardCharsets.UTF_8);
+    byte[] indexBe = ByteUtils.toByteArray(index, 4);
+
+    // Try-and-increment loop
+    for (long ctr = 0; ctr < 0xFFFFFFFFL; ctr++) {
+      byte[] ctrBe = ByteUtils.toByteArray((int) ctr, 4);
+
+      // Build hash input: domainSeparator || curveLabel || label || index || counter
+      int inputLen = domainBytes.length + curveBytes.length +
+        (label != null ? label.length : 0) + 4 + 4;
+      byte[] hashInput = new byte[inputLen];
+      int offset = 0;
+
+      System.arraycopy(domainBytes, 0, hashInput, offset, domainBytes.length);
+      offset += domainBytes.length;
+      System.arraycopy(curveBytes, 0, hashInput, offset, curveBytes.length);
+      offset += curveBytes.length;
+      if (label != null && label.length > 0) {
+        System.arraycopy(label, 0, hashInput, offset, label.length);
+        offset += label.length;
+      }
+      System.arraycopy(indexBe, 0, hashInput, offset, 4);
+      offset += 4;
+      System.arraycopy(ctrBe, 0, hashInput, offset, 4);
+
+      byte[] hash = HashingUtils.sha256(hashInput).toByteArray();
+
+      // Construct compressed point candidate: 0x02 || hash
+      byte[] compressed = new byte[33];
+      compressed[0] = 0x02;
+      System.arraycopy(hash, 0, compressed, 1, 32);
+
+      try {
+        ECPoint point = Secp256k1Operations.deserialize(compressed);
+        if (point != null && !point.isInfinity()) {
+          return point;
+        }
+      } catch (Exception e) {
+        // Invalid point, continue to next counter
+      }
+    }
+
+    throw new IllegalStateException("Failed to derive NUMS point (extremely unlikely)");
+  }
+}
+