WIP

Author: Patel-Raj11

xrpl4j-core/src/main/java/org/xrpl/xrpl4j/crypto/keys/bc/BcKeyUtils.java

@@ -92,17 +92,6 @@ public static PrivateKey toPrivateKey(final Ed25519PrivateKeyParameters ed25519P
     );
   }
 
-  /**
-   * Convert from a {@link ECPrivateKeyParameters} to a {@link PrivateKey} with SECP256K1 key type.
-   *
-   * @param ecPrivateKeyParameters A {@link ECPrivateKeyParameters}.
-   *
-   * @return A {@link PrivateKey}.
-   */
-  public static PrivateKey toPrivateKey(final ECPrivateKeyParameters ecPrivateKeyParameters) {
-    return toPrivateKey(ecPrivateKeyParameters, KeyType.SECP256K1);
-  }
-
   /**
    * Convert from a {@link ECPrivateKeyParameters} to a {@link PrivateKey}.
    *

xrpl4j-core/src/main/java/org/xrpl/xrpl4j/crypto/mpt/Secp256k1Operations.java

@@ -4,6 +4,8 @@
 import org.bouncycastle.asn1.x9.X9ECParameters;
 import org.bouncycastle.crypto.ec.CustomNamedCurves;
 import org.bouncycastle.math.ec.ECPoint;
+import org.xrpl.xrpl4j.crypto.keys.PrivateKey;
+import org.xrpl.xrpl4j.crypto.keys.PublicKey;
 
 import java.math.BigInteger;
 import java.util.Arrays;
@@ -236,6 +238,22 @@ public static boolean isValidScalar(byte[] scalar) {
     return scalarInt.compareTo(BigInteger.ZERO) > 0 && scalarInt.compareTo(CURVE_ORDER) < 0;
   }
 
+  /**
+   * Reduces a 32-byte hash to a valid scalar (mod curve order).
+   */
+  public static byte[] reduceToScalar(byte[] hash) {
+    BigInteger hashInt = new BigInteger(1, hash);
+    BigInteger reduced = hashInt.mod(Secp256k1Operations.getCurveOrder());
+    return Secp256k1Operations.toBytes32(reduced);
+  }
+
+  public static int appendPoint(byte[] buffer, int offset, ECPoint point) {
+    byte[] pointBytes = Secp256k1Operations.serializeCompressed(point);
+    System.arraycopy(pointBytes, 0, buffer, offset, 33);
+    return offset + 33;
+  }
+
+
   /**
    * Returns the scalar representing (n - 1), which is equivalent to -1 mod n.
    *
@@ -340,4 +358,42 @@ public static byte[] serializeUncompressedWithoutPrefix(ECPoint point) {
     System.arraycopy(uncompressedWithPrefix, 1, result, 0, 64);
     return result;
   }
+
+  // ============================================================================
+  // PublicKey / PrivateKey Conversion Utilities
+  // ============================================================================
+
+  /**
+   * Converts a {@link PublicKey} to an {@link ECPoint}.
+   *
+   * <p>This method extracts the compressed public key bytes and deserializes them
+   * to an EC point on the secp256k1 curve.</p>
+   *
+   * @param publicKey The public key to convert.
+   *
+   * @return The corresponding EC point.
+   *
+   * @throws NullPointerException if publicKey is null.
+   */
+  public static ECPoint toEcPoint(PublicKey publicKey) {
+    Objects.requireNonNull(publicKey, "publicKey must not be null");
+    return deserialize(publicKey.value().toByteArray());
+  }
+
+  /**
+   * Converts a {@link PrivateKey} to a {@link BigInteger} scalar.
+   *
+   * <p>This method extracts the natural (unprefixed) private key bytes and converts
+   * them to a BigInteger for use in elliptic curve operations.</p>
+   *
+   * @param privateKey The private key to convert.
+   *
+   * @return The private key as a BigInteger scalar.
+   *
+   * @throws NullPointerException if privateKey is null.
+   */
+  public static BigInteger toScalar(PrivateKey privateKey) {
+    Objects.requireNonNull(privateKey, "privateKey must not be null");
+    return new BigInteger(1, privateKey.naturalBytes().toByteArray());
+  }
 }

xrpl4j-core/src/main/java/org/xrpl/xrpl4j/crypto/mpt/bulletproofs/ChallengeUtils.java

@@ -0,0 +1,222 @@
+package org.xrpl.xrpl4j.crypto.mpt.bulletproofs;
+
+import com.google.common.hash.Hashing;
+import org.bouncycastle.math.ec.ECPoint;
+import org.xrpl.xrpl4j.crypto.mpt.Secp256k1Operations;
+
+import java.math.BigInteger;
+import java.nio.charset.StandardCharsets;
+import java.util.List;
+
+public class ChallengeUtils {
+
+  /**
+   * Builds the challenge hash for the Schnorr proof.
+   *
+   * <p>The challenge is computed as: SHA256("MPT_POK_SK_REGISTER" || P || T [|| contextId])</p>
+   *
+   * @param publicKey The public key point P.
+   * @param T         The commitment point (k * G).
+   * @param contextId The optional 32-byte context identifier. Can be null.
+   *
+   * @return A 32-byte challenge hash.
+   */
+  public static byte[] secretKeyProofChallenge(ECPoint publicKey, ECPoint T, byte[] contextId) {
+    String DOMAIN_SEPARATOR = "MPT_POK_SK_REGISTER";
+
+    byte[] domainBytes = DOMAIN_SEPARATOR.getBytes(StandardCharsets.UTF_8);
+    byte[] pkBytes = Secp256k1Operations.serializeCompressed(publicKey);
+    byte[] tBytes = Secp256k1Operations.serializeCompressed(T);
+
+    int contextIdLength = (contextId != null) ? 32 : 0;
+    byte[] hashInput = new byte[domainBytes.length + 33 + 33 + contextIdLength];
+    int offset = 0;
+    System.arraycopy(domainBytes, 0, hashInput, offset, domainBytes.length);
+    offset += domainBytes.length;
+    System.arraycopy(pkBytes, 0, hashInput, offset, 33);
+    offset += 33;
+    System.arraycopy(tBytes, 0, hashInput, offset, 33);
+    offset += 33;
+    if (contextId != null) {
+      System.arraycopy(contextId, 0, hashInput, offset, 32);
+    }
+
+    byte[] sha256Hash = Hashing.sha256().hashBytes(hashInput).asBytes();
+
+    // Reduce modulo curve order (equivalent to secp256k1_mpt_scalar_reduce32 in C)
+    BigInteger hashInt = new BigInteger(1, sha256Hash);
+    BigInteger reduced = hashInt.mod(Secp256k1Operations.getCurveOrder());
+    return Secp256k1Operations.toBytes32(reduced);
+  }
+
+  /**
+   * Computes the Fiat-Shamir challenge hash.
+   *
+   * <p>Hash( Domain || {R_i, S_i, Pk_i} || Tm || {TrG_i, TrP_i} || TxID )</p>
+   */
+  public static byte[] samePlaintextProofChallenge(
+    int n,
+    List<ECPoint> R,
+    List<ECPoint> S,
+    List<ECPoint> Pk,
+    ECPoint Tm,
+    List<ECPoint> TrG,
+    List<ECPoint> TrP,
+    byte[] txId
+  ) {
+    String DOMAIN_SEPARATOR = "MPT_POK_SAME_PLAINTEXT_PROOF";
+    // Calculate total size for buffer
+    // Domain + n*(R+S+Pk) + Tm + n*(TrG+TrP) + txId
+    int domainLen = DOMAIN_SEPARATOR.getBytes(StandardCharsets.UTF_8).length;
+    int pointsLen = (3 * n + 1 + 2 * n) * 33; // (R,S,Pk)*n + Tm + (TrG,TrP)*n
+    int txIdLen = (txId != null) ? 32 : 0;
+
+    byte[] buffer = new byte[domainLen + pointsLen + txIdLen];
+    int offset = 0;
+
+    // Domain separator
+    byte[] domainBytes = DOMAIN_SEPARATOR.getBytes(StandardCharsets.UTF_8);
+    System.arraycopy(domainBytes, 0, buffer, offset, domainBytes.length);
+    offset += domainBytes.length;
+
+    // Public inputs: {R_i, S_i, Pk_i}
+    for (int i = 0; i < n; i++) {
+      byte[] rBytes = Secp256k1Operations.serializeCompressed(R.get(i));
+      System.arraycopy(rBytes, 0, buffer, offset, 33);
+      offset += 33;
+
+      byte[] sBytes = Secp256k1Operations.serializeCompressed(S.get(i));
+      System.arraycopy(sBytes, 0, buffer, offset, 33);
+      offset += 33;
+
+      byte[] pkBytes = Secp256k1Operations.serializeCompressed(Pk.get(i));
+      System.arraycopy(pkBytes, 0, buffer, offset, 33);
+      offset += 33;
+    }
+
+    // Commitments: Tm
+    byte[] tmBytes = Secp256k1Operations.serializeCompressed(Tm);
+    System.arraycopy(tmBytes, 0, buffer, offset, 33);
+    offset += 33;
+
+    // Commitments: {TrG_i, TrP_i}
+    for (int i = 0; i < n; i++) {
+      byte[] trgBytes = Secp256k1Operations.serializeCompressed(TrG.get(i));
+      System.arraycopy(trgBytes, 0, buffer, offset, 33);
+      offset += 33;
+
+      byte[] trpBytes = Secp256k1Operations.serializeCompressed(TrP.get(i));
+      System.arraycopy(trpBytes, 0, buffer, offset, 33);
+      offset += 33;
+    }
+
+    // Context (tx_id)
+    if (txId != null) {
+      System.arraycopy(txId, 0, buffer, offset, 32);
+    }
+
+    // SHA256 and reduce to scalar
+    byte[] hash = Hashing.sha256().hashBytes(buffer).asBytes();
+    return Secp256k1Operations.reduceToScalar(hash);
+  }
+
+
+  /**
+   * Computes the challenge hash for the equality plaintext proof.
+   */
+  public static byte[] plaintextEqualityProofChallenge(
+    ECPoint c1,
+    ECPoint c2,
+    ECPoint publicKey,
+    ECPoint mG,
+    ECPoint T1,
+    ECPoint T2,
+    byte[] contextId
+  ) {
+    String DOMAIN_SEPARATOR = "MPT_POK_PLAINTEXT_PROOF";
+    // Calculate total size: domain + c1 + c2 + pk + [mG] + T1 + T2 + context
+    int size = DOMAIN_SEPARATOR.length() + 33 + 33 + 33 + 33 + 33 + 32;
+    if (mG != null) {
+      size += 33;
+    }
+
+    byte[] hashInput = new byte[size];
+    int offset = 0;
+
+    // Domain separator
+    byte[] domainBytes = DOMAIN_SEPARATOR.getBytes(StandardCharsets.UTF_8);
+    System.arraycopy(domainBytes, 0, hashInput, offset, domainBytes.length);
+    offset += domainBytes.length;
+
+    // C1, C2, Pk
+    byte[] c1Bytes = Secp256k1Operations.serializeCompressed(c1);
+    System.arraycopy(c1Bytes, 0, hashInput, offset, 33);
+    offset += 33;
+
+    byte[] c2Bytes = Secp256k1Operations.serializeCompressed(c2);
+    System.arraycopy(c2Bytes, 0, hashInput, offset, 33);
+    offset += 33;
+
+    byte[] pkBytes = Secp256k1Operations.serializeCompressed(publicKey);
+    System.arraycopy(pkBytes, 0, hashInput, offset, 33);
+    offset += 33;
+
+    // mG (only if nonzero)
+    if (mG != null) {
+      byte[] mGBytes = Secp256k1Operations.serializeCompressed(mG);
+      System.arraycopy(mGBytes, 0, hashInput, offset, 33);
+      offset += 33;
+    }
+
+    // T1, T2
+    byte[] t1Bytes = Secp256k1Operations.serializeCompressed(T1);
+    System.arraycopy(t1Bytes, 0, hashInput, offset, 33);
+    offset += 33;
+
+    byte[] t2Bytes = Secp256k1Operations.serializeCompressed(T2);
+    System.arraycopy(t2Bytes, 0, hashInput, offset, 33);
+    offset += 33;
+
+    // Context ID (always required)
+    System.arraycopy(contextId, 0, hashInput, offset, 32);
+
+    // SHA256 and reduce mod curve order
+    byte[] sha256Hash = Hashing.sha256().hashBytes(hashInput).asBytes();
+    BigInteger hashInt = new BigInteger(1, sha256Hash);
+    BigInteger reduced = hashInt.mod(Secp256k1Operations.getCurveOrder());
+    return Secp256k1Operations.toBytes32(reduced);
+  }
+
+  public static byte[] pedersenLinkProofChallenge(
+    ECPoint c1, ECPoint c2, ECPoint pk, ECPoint pcm,
+    ECPoint T1, ECPoint T2, ECPoint T3,
+    byte[] contextId
+  ) {
+    String DOMAIN_SEPARATOR = "MPT_ELGAMAL_PEDERSEN_LINK";
+    byte[] domainBytes = DOMAIN_SEPARATOR.getBytes(StandardCharsets.UTF_8);
+    int contextLen = (contextId != null) ? 32 : 0;
+    int bufferSize = domainBytes.length + (7 * 33) + contextLen;
+
+    byte[] buffer = new byte[bufferSize];
+    int offset = 0;
+
+    System.arraycopy(domainBytes, 0, buffer, offset, domainBytes.length);
+    offset += domainBytes.length;
+
+    offset = Secp256k1Operations.appendPoint(buffer, offset, c1);
+    offset = Secp256k1Operations.appendPoint(buffer, offset, c2);
+    offset = Secp256k1Operations.appendPoint(buffer, offset, pk);
+    offset = Secp256k1Operations.appendPoint(buffer, offset, pcm);
+    offset = Secp256k1Operations.appendPoint(buffer, offset, T1);
+    offset = Secp256k1Operations.appendPoint(buffer, offset, T2);
+    offset = Secp256k1Operations.appendPoint(buffer, offset, T3);
+
+    if (contextId != null) {
+      System.arraycopy(contextId, 0, buffer, offset, 32);
+    }
+
+    byte[] hash = Hashing.sha256().hashBytes(buffer).asBytes();
+    return Secp256k1Operations.reduceToScalar(hash);
+  }
+
+}

xrpl4j-core/src/main/java/org/xrpl/xrpl4j/crypto/mpt/bulletproofs/LinkageProofType.java

@@ -27,7 +27,7 @@
  * encode the same plaintext amount. The proof parameters are ordered differently
  * depending on whether we're proving linkage for an amount commitment or a balance commitment.</p>
  *
- * @see ElGamalPedersenLinkProofGenerator
+ * @see PedersenLinkProofGenerator
  */
 public enum LinkageProofType {
 

…s/ElGamalPedersenLinkProofGenerator.java …etproofs/PedersenLinkProofGenerator.javaxrpl4j-core/src/main/java/org/xrpl/xrpl4j/crypto/mpt/bulletproofs/ElGamalPedersenLinkProofGenerator.java renamed to xrpl4j-core/src/main/java/org/xrpl/xrpl4j/crypto/mpt/bulletproofs/PedersenLinkProofGenerator.java xrpl4j-core/src/main/java/org/xrpl/xrpl4j/crypto/mpt/bulletproofs/ElGamalPedersenLinkProofGenerator.java renamed to xrpl4j-core/src/main/java/org/xrpl/xrpl4j/crypto/mpt/bulletproofs/PedersenLinkProofGenerator.java

@@ -1,11 +1,10 @@
 package org.xrpl.xrpl4j.crypto.mpt.bulletproofs;
 
 import com.google.common.primitives.UnsignedLong;
+import org.xrpl.xrpl4j.crypto.keys.PublicKey;
 import org.xrpl.xrpl4j.crypto.mpt.BlindingFactor;
 import org.xrpl.xrpl4j.crypto.mpt.context.LinkProofContext;
 import org.xrpl.xrpl4j.crypto.mpt.elgamal.ElGamalCiphertext;
-import org.xrpl.xrpl4j.crypto.mpt.keys.ElGamalPrivateKeyable;
-import org.xrpl.xrpl4j.crypto.mpt.keys.ElGamalPublicKey;
 import org.xrpl.xrpl4j.crypto.mpt.wrapper.ElGamalPedersenLinkProof;
 import org.xrpl.xrpl4j.crypto.mpt.wrapper.PedersenCommitment;
 
@@ -59,13 +58,11 @@
  *   <li>srho (32 bytes) - Response for Pedersen blinding factor</li>
  * </ul>
  *
- * @param <P> The type of private key this generator accepts, must extend {@link ElGamalPrivateKeyable}.
- *
  * @see LinkageProofType
  * @see ElGamalPedersenLinkProof
  * @see <a href="ConfidentialMPT_20260201.pdf">Spec Section 3.3.5</a>
  */
-public interface ElGamalPedersenLinkProofGenerator<P extends ElGamalPrivateKeyable> {
+public interface PedersenLinkProofGenerator {
 
   /**
    * Generates a proof linking an ElGamal ciphertext and a Pedersen commitment.
@@ -98,38 +95,12 @@ public interface ElGamalPedersenLinkProofGenerator<P extends ElGamalPrivateKeyab
   ElGamalPedersenLinkProof generateProof(
     LinkageProofType proofType,
     ElGamalCiphertext ciphertext,
-    ElGamalPublicKey publicKey,
+    PublicKey publicKey,
     PedersenCommitment commitment,
     UnsignedLong amount,
     BlindingFactor elGamalBlindingFactor,
     BlindingFactor pedersenBlindingFactor,
     LinkProofContext context
   );
-
-  /**
-   * Verifies a proof linking an ElGamal ciphertext and a Pedersen commitment.
-   *
-   * <p>The {@link LinkageProofType} determines how the ciphertext and public key parameters
-   * are interpreted for verification, matching the ordering used during proof generation.</p>
-   *
-   * @param proofType  The type of linkage proof being verified.
-   * @param proof      The proof to verify.
-   * @param ciphertext The ElGamal ciphertext.
-   * @param publicKey  The ElGamal public key.
-   * @param commitment The Pedersen commitment.
-   * @param context    The context for domain separation. Can be null for no context.
-   *
-   * @return {@code true} if the proof is valid, {@code false} otherwise.
-   *
-   * @throws NullPointerException if proof, ciphertext, publicKey, or commitment is null.
-   */
-  boolean verify(
-    LinkageProofType proofType,
-    ElGamalPedersenLinkProof proof,
-    ElGamalCiphertext ciphertext,
-    ElGamalPublicKey publicKey,
-    PedersenCommitment commitment,
-    LinkProofContext context
-  );
 }