feat(zk): add ElGamal & AES key derivation

Author: sonicfromnewyoke

go.mod

@@ -3,6 +3,7 @@ module github.com/gagliardetto/solana-go
 go 1.24.0
 
 require (
+	filippo.io/edwards25519 v1.2.0
 	github.com/AlekSi/pointer v1.2.0
 	github.com/buger/jsonparser v1.1.2
 	github.com/davecgh/go-spew v1.1.1
@@ -28,6 +29,7 @@ require (
 	github.com/spf13/viper v1.21.0
 	github.com/streamingfast/logging v0.0.0-20250404134358-92b15d2fbd2e
 	github.com/stretchr/testify v1.11.1
+	github.com/tyler-smith/go-bip39 v1.1.0
 	go.mongodb.org/mongo-driver/v2 v2.5.0
 	go.uber.org/ratelimit v0.3.1
 	go.uber.org/zap v1.27.0

go.sum

@@ -4,6 +4,8 @@ cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIi
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
 cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
+filippo.io/edwards25519 v1.2.0 h1:crnVqOiS4jqYleHd9vaKZ+HKtHfllngJIiOpNpoJsjo=
+filippo.io/edwards25519 v1.2.0/go.mod h1:xzAOLCNug/yB62zG1bQ8uziwrIqIuxhctzJT18Q77mc=
 github.com/AlekSi/pointer v1.2.0 h1:glcy/gc4h8HnG2Z3ZECSzZ1IX1x2JxRVuDzaJwQE0+w=
 github.com/AlekSi/pointer v1.2.0/go.mod h1:gZGfd3dpW4vEc/UlyfKKi1roIqcCgwOIvb0tSNSBle0=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
@@ -151,6 +153,8 @@ github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/test-go/testify v1.1.4 h1:Tf9lntrKUMHiXQ07qBScBTSA0dhYQlu83hswqelv1iE=
 github.com/test-go/testify v1.1.4/go.mod h1:rH7cfJo/47vWGdi4GPj16x3/t1xGOj2YxzmNQzk2ghU=
+github.com/tyler-smith/go-bip39 v1.1.0 h1:5eUemwrMargf3BSLRRCalXT93Ns6pQJIjYQN2nyfOP8=
+github.com/tyler-smith/go-bip39 v1.1.0/go.mod h1:gUYDtqQw1JS3ZJ8UWVcGTGqqr6YIN3CWg+kkNaLt55U=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 go.mongodb.org/mongo-driver/v2 v2.5.0 h1:yXUhImUjjAInNcpTcAlPHiT7bIXhshCTL3jVBkF3xaE=
 go.mongodb.org/mongo-driver/v2 v2.5.0/go.mod h1:yOI9kBsufol30iFsl1slpdq1I0eHPzybRWdyYUs8K/0=
@@ -189,6 +193,7 @@ go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8=
 golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A=

programs/token-2022/zkencryption/ae_key.go

@@ -0,0 +1,80 @@
+package zkencryption
+
+import (
+	"crypto/sha3"
+	"fmt"
+
+	"github.com/gagliardetto/solana-go"
+	"github.com/tyler-smith/go-bip39"
+)
+
+// AeKeyLen is the byte length of an authenticated-encryption key (AES-128-GCM-SIV).
+const AeKeyLen = 16
+
+// aeSigningDomain is the domain-separation prefix prepended to the public
+// seed before signing. It must match b"AeKey" in solana-zk-sdk.
+const aeSigningDomain = "AeKey"
+
+// minAeSeedLen / maxAeSeedLen mirror the bounds enforced in solana-zk-sdk's
+// SeedDerivable::from_seed implementation for AeKey.
+const (
+	minAeSeedLen = AeKeyLen
+	maxAeSeedLen = 65535
+)
+
+// AeKey is a 128-bit authenticated-encryption key used by the Token-2022
+// confidential-transfer extension to encrypt u64 amounts under AES-128-GCM-SIV.
+type AeKey [AeKeyLen]byte
+
+// AeKeyFromSeed derives an AeKey from an entropy seed by hashing the seed with
+// SHA3-512 and taking the first 16 bytes, matching SeedDerivable::from_seed in
+// solana-zk-sdk.
+func AeKeyFromSeed(seed []byte) (AeKey, error) {
+	if len(seed) < minAeSeedLen {
+		return AeKey{}, ErrSeedTooShort
+	}
+	if len(seed) > maxAeSeedLen {
+		return AeKey{}, ErrSeedTooLong
+	}
+	h := sha3.Sum512(seed)
+	var out AeKey
+	copy(out[:], h[:AeKeyLen])
+	return out, nil
+}
+
+// AeKeyFromSignature derives an AeKey from an ed25519 signature by using
+// SHA3-512(signature) as the seed. Mirrors AeKey::seed_from_signature +
+// from_seed in solana-zk-sdk. No default-signature check is performed here;
+// use AeKeyFromSigner if the signature originates from a local signer.
+func AeKeyFromSignature(sig solana.Signature) (AeKey, error) {
+	h := sha3.Sum512(sig[:])
+	return AeKeyFromSeed(h[:])
+}
+
+// AeKeyFromSigner deterministically derives an AeKey from a Solana signer and
+// a public seed. The signer signs b"AeKey" || publicSeed; the signature is
+// then hashed with SHA3-512 and the result fed into AeKeyFromSeed. An
+// all-zero (default) signature is rejected, matching the Rust implementation.
+func AeKeyFromSigner(signer Signer, publicSeed []byte) (AeKey, error) {
+	msg := make([]byte, 0, len(aeSigningDomain)+len(publicSeed))
+	msg = append(msg, aeSigningDomain...)
+	msg = append(msg, publicSeed...)
+
+	sig, err := signer.Sign(msg)
+	if err != nil {
+		return AeKey{}, fmt.Errorf("zkencryption: sign AeKey public seed: %w", err)
+	}
+	if sig == (solana.Signature{}) {
+		return AeKey{}, ErrDefaultSignature
+	}
+	return AeKeyFromSignature(sig)
+}
+
+// AeKeyFromSeedPhraseAndPassphrase derives an AeKey from a BIP39 mnemonic and
+// an optional passphrase using the standard BIP39 PBKDF2-HMAC-SHA512 seed
+// derivation (2048 iterations, 64-byte output), matching
+// solana_seed_phrase::generate_seed_from_seed_phrase_and_passphrase. Solana
+// does not validate the mnemonic checksum at this layer, and neither do we.
+func AeKeyFromSeedPhraseAndPassphrase(mnemonic, passphrase string) (AeKey, error) {
+	return AeKeyFromSeed(bip39.NewSeed(mnemonic, passphrase))
+}

programs/token-2022/zkencryption/doc.go

@@ -0,0 +1,13 @@
+// Package zkencryption ports the deterministic key-derivation functions from
+// solana-zk-sdk (zk-sdk/src/encryption) to Go. It produces byte-for-byte
+// identical ElGamal secret keys and authenticated-encryption (AeKey) keys to
+// the Rust and JS/WASM reference implementations, so the same signer and
+// public seed derive the same key material across all three SDKs.
+//
+// Scope: key derivation only. Encryption, decryption, Pedersen commitments,
+// and zero-knowledge proof generation are not in this package; callers that
+// need a full confidential-transfer flow must still produce proofs via an
+// external source (Rust solana-zk-sdk or JS @solana/zk-sdk WASM).
+//
+// Reference: https://github.com/solana-program/zk-elgamal-proof
+package zkencryption

programs/token-2022/zkencryption/elgamal_secret.go

@@ -0,0 +1,92 @@
+package zkencryption
+
+import (
+	"crypto/sha3"
+	"fmt"
+
+	"filippo.io/edwards25519"
+	"github.com/gagliardetto/solana-go"
+	"github.com/tyler-smith/go-bip39"
+)
+
+// ElGamalSecretKeyLen is the canonical length of an ElGamal secret scalar
+// encoded in little-endian form (matches curve25519-dalek Scalar::as_bytes).
+const ElGamalSecretKeyLen = 32
+
+// elGamalSigningDomain is the domain-separation prefix prepended to the
+// public seed before signing. It must match b"ElGamalSecretKey" in
+// solana-zk-sdk.
+const elGamalSigningDomain = "ElGamalSecretKey"
+
+// minElGamalSeedLen / maxElGamalSeedLen mirror the bounds enforced in
+// solana-zk-sdk's ElGamalSecretKey::from_seed implementation.
+const (
+	minElGamalSeedLen = ElGamalSecretKeyLen
+	maxElGamalSeedLen = 65535
+)
+
+// ElGamalSecretKey is a canonical little-endian encoding of a Ristretto/Ed25519
+// scalar mod ell. It is the Token-2022 confidential-transfer ElGamal private
+// key; byte-for-byte equivalent to ElGamalSecretKey::as_bytes in solana-zk-sdk.
+type ElGamalSecretKey [ElGamalSecretKeyLen]byte
+
+// ElGamalSecretKeyFromSeed derives an ElGamal secret key from an entropy seed
+// by computing Scalar::from_bytes_mod_order_wide(SHA3-512(seed)), matching
+// curve25519-dalek's Scalar::hash_from_bytes::<Sha3_512>.
+func ElGamalSecretKeyFromSeed(seed []byte) (ElGamalSecretKey, error) {
+	if len(seed) < minElGamalSeedLen {
+		return ElGamalSecretKey{}, ErrSeedTooShort
+	}
+	if len(seed) > maxElGamalSeedLen {
+		return ElGamalSecretKey{}, ErrSeedTooLong
+	}
+
+	h := sha3.Sum512(seed)
+	// SetUniformBytes only errors on wrong input length; Sum512 always
+	// returns 64 bytes, so this branch is unreachable in practice but kept
+	// to avoid an implicit panic if the upstream contract ever changes.
+	s, err := edwards25519.NewScalar().SetUniformBytes(h[:])
+	if err != nil {
+		return ElGamalSecretKey{}, ErrInvalidScalarEncoding
+	}
+
+	var out ElGamalSecretKey
+	copy(out[:], s.Bytes())
+	return out, nil
+}
+
+// ElGamalSecretKeyFromSignature derives an ElGamal secret key from an ed25519
+// signature by using SHA3-512(signature) as the seed. Mirrors
+// ElGamalSecretKey::seed_from_signature + from_seed in solana-zk-sdk.
+func ElGamalSecretKeyFromSignature(sig solana.Signature) (ElGamalSecretKey, error) {
+	h := sha3.Sum512(sig[:])
+	return ElGamalSecretKeyFromSeed(h[:])
+}
+
+// ElGamalSecretKeyFromSigner deterministically derives an ElGamal secret key
+// from a Solana signer and a public seed. The signer signs
+// b"ElGamalSecretKey" || publicSeed; the signature is hashed with SHA3-512
+// and fed into ElGamalSecretKeyFromSeed. An all-zero (default) signature is
+// rejected to match the Rust implementation.
+func ElGamalSecretKeyFromSigner(signer Signer, publicSeed []byte) (ElGamalSecretKey, error) {
+	msg := make([]byte, 0, len(elGamalSigningDomain)+len(publicSeed))
+	msg = append(msg, elGamalSigningDomain...)
+	msg = append(msg, publicSeed...)
+
+	sig, err := signer.Sign(msg)
+	if err != nil {
+		return ElGamalSecretKey{}, fmt.Errorf("zkencryption: sign ElGamalSecretKey public seed: %w", err)
+	}
+	if sig == (solana.Signature{}) {
+		return ElGamalSecretKey{}, ErrDefaultSignature
+	}
+	return ElGamalSecretKeyFromSignature(sig)
+}
+
+// ElGamalSecretKeyFromSeedPhraseAndPassphrase derives an ElGamal secret key
+// from a BIP39 mnemonic and an optional passphrase, matching
+// solana_seed_phrase's PBKDF2-HMAC-SHA512 derivation. Solana does not
+// validate the mnemonic checksum at this layer, and neither do we.
+func ElGamalSecretKeyFromSeedPhraseAndPassphrase(mnemonic, passphrase string) (ElGamalSecretKey, error) {
+	return ElGamalSecretKeyFromSeed(bip39.NewSeed(mnemonic, passphrase))
+}

programs/token-2022/zkencryption/errors.go

@@ -0,0 +1,10 @@
+package zkencryption
+
+import "errors"
+
+var (
+	ErrSeedTooShort          = errors.New("zkencryption: seed is too short")
+	ErrSeedTooLong           = errors.New("zkencryption: seed is too long")
+	ErrDefaultSignature      = errors.New("zkencryption: refusing to derive key from default (all-zero) signature")
+	ErrInvalidScalarEncoding = errors.New("zkencryption: scalar wide-reduction failed")
+)