@interest-protocol/vortex-sdk 0.0.1-alpha.0 → 1.1.0

package/src/crypto/poseidon/poseidon-opt.ts

@@ -0,0 +1,184 @@
+import { F1Field, Scalar, utils } from '../ff';
+import { CONSTANTS } from './poseidon-constants-opt';
+
+export const OPT = utils.unStringifyBigInts(CONSTANTS) as {
+  C: bigint[][];
+  S: bigint[][];
+  M: bigint[][][];
+  P: bigint[][][];
+};
+
+const N_ROUNDS_F = 8;
+const N_ROUNDS_P = [
+  56, 57, 56, 60, 60, 63, 64, 63, 60, 66, 60, 65, 70, 60, 64, 68,
+];
+const SPONGE_INPUTS = 16;
+const SPONGE_CHUNK_SIZE = 31;
+
+const F = new F1Field(
+  Scalar.fromString(
+    '21888242871839275222246405745257275088548364400416034343698204186575808495617'
+  )
+);
+const pow5 = (a: bigint): bigint => F.mul(a, F.square(F.square(a)));
+
+// circomlibjs Poseidon bn128
+export class Poseidon {
+  static F = F;
+
+  static hash(inputs: bigint[]): bigint {
+    if (!(inputs.length > 0 && inputs.length <= N_ROUNDS_P.length)) {
+      throw new Error('Invalid inputs');
+    }
+
+    if (inputs.some((i) => i < 0 || i >= F.p)) {
+      throw new Error(`One or more inputs are not in the field: ${F.p}`);
+    }
+
+    const t = inputs.length + 1;
+    const nRoundsF = N_ROUNDS_F;
+    const nRoundsP = N_ROUNDS_P[t - 2];
+    const C = OPT.C[t - 2]!;
+    const S = OPT.S[t - 2]!;
+    const M = OPT.M[t - 2]!;
+    const P = OPT.P[t - 2]!;
+
+    let state: bigint[] = [F.zero, ...inputs.map((a) => F.e(a) as bigint)];
+
+    state = state.map((a, i) => F.add(a, C[i]!));
+
+    for (let r = 0; r < nRoundsF / 2 - 1; r++) {
+      state = state.map((a) => pow5(a));
+      state = state.map((a, i) => F.add(a, C[(r + 1) * t + i]!));
+      state = state.map((_, i) =>
+        state.reduce((acc, a, j) => F.add(acc, F.mul(M[j]![i]!, a)), F.zero)
+      );
+    }
+    state = state.map((a) => pow5(a));
+    state = state.map((a, i) => F.add(a, C[(nRoundsF / 2 - 1 + 1) * t + i]!));
+    state = state.map((_, i) =>
+      state.reduce((acc, a, j) => F.add(acc, F.mul(P[j]![i]!, a)), F.zero)
+    );
+    for (let r = 0; r < nRoundsP!; r++) {
+      state[0] = pow5(state[0]!);
+      state[0] = F.add(state[0]!, C[(nRoundsF / 2 + 1) * t + r]!);
+
+      const s0 = state.reduce((acc, a, j) => {
+        return F.add(acc, F.mul(S[(t * 2 - 1) * r + j]!, a!));
+      }, F.zero);
+      for (let k = 1; k < t; k++) {
+        state[k] = F.add(
+          state[k]!,
+          F.mul(state[0]!, S[(t * 2 - 1) * r + t + k - 1]!)
+        );
+      }
+      state[0] = s0;
+    }
+    for (let r = 0; r < nRoundsF / 2 - 1; r++) {
+      state = state.map((a) => pow5(a));
+      state = state.map((a, i) =>
+        F.add(a, C[(nRoundsF / 2 + 1) * t + nRoundsP! + r * t + i]!)
+      );
+      state = state.map((_, i) =>
+        state.reduce((acc, a, j) => F.add(acc, F.mul(M[j]![i]!, a)), F.zero)
+      );
+    }
+    state = state.map((a) => pow5(a));
+    state = state.map((_, i) =>
+      state.reduce((acc, a, j) => F.add(acc, F.mul(M[j]![i]!, a)), F.zero)
+    );
+
+    return F.normalize(state[0]!);
+  }
+
+  // HashBytes returns a sponge hash of a msg byte slice split into blocks of 31 bytes
+  static hashBytes(msg: Uint8Array): bigint {
+    return Poseidon.hashBytesX(msg, SPONGE_INPUTS);
+  }
+
+  // hashBytesX returns a sponge hash of a msg byte slice split into blocks of 31 bytes
+  static hashBytesX(msg: Uint8Array, frameSize: number): bigint {
+    const inputs = new Array(frameSize).fill(BigInt(0));
+    let dirty = false;
+    let hash!: bigint;
+
+    let k = 0;
+    for (let i = 0; i < parseInt(`${msg.length / SPONGE_CHUNK_SIZE}`); i += 1) {
+      dirty = true;
+      inputs[k] = utils.beBuff2int(
+        msg.slice(SPONGE_CHUNK_SIZE * i, SPONGE_CHUNK_SIZE * (i + 1))
+      );
+      if (k === frameSize - 1) {
+        hash = Poseidon.hash(inputs);
+        dirty = false;
+        inputs[0] = hash;
+        inputs.fill(BigInt(0), 1, SPONGE_CHUNK_SIZE);
+        for (let j = 1; j < frameSize; j += 1) {
+          inputs[j] = BigInt(0);
+        }
+        k = 1;
+      } else {
+        k += 1;
+      }
+    }
+
+    if (msg.length % SPONGE_CHUNK_SIZE != 0) {
+      const buff = new Uint8Array(SPONGE_CHUNK_SIZE);
+      const slice = msg.slice(
+        parseInt(`${msg.length / SPONGE_CHUNK_SIZE}`) * SPONGE_CHUNK_SIZE
+      );
+      slice.forEach((v, idx) => {
+        buff[idx] = v;
+      });
+      inputs[k] = utils.beBuff2int(buff);
+      dirty = true;
+    }
+
+    if (dirty) {
+      // we haven't hashed something in the main sponge loop and need to do hash here
+      hash = Poseidon.hash(inputs);
+    }
+
+    return hash;
+  }
+
+  // SpongeHashX returns a sponge hash of inputs using Poseidon with configurable frame size
+  static spongeHashX(inputs: bigint[], frameSize: number): bigint {
+    if (frameSize < 2 || frameSize > 16) {
+      throw new Error('incorrect frame size');
+    }
+
+    // not used frame default to zero
+    let frame = new Array(frameSize).fill(BigInt(0));
+
+    let dirty = false;
+    let hash!: bigint;
+
+    let k = 0;
+    for (let i = 0; i < inputs.length; i++) {
+      dirty = true;
+      frame[k] = inputs[i];
+      if (k === frameSize - 1) {
+        hash = this.hash(frame);
+        dirty = false;
+        frame = new Array(frameSize).fill(BigInt(0));
+        frame[0] = hash;
+        k = 1;
+      } else {
+        k++;
+      }
+    }
+
+    if (dirty) {
+      // we haven't hashed something in the main sponge loop and need to do hash here
+      hash = this.hash(frame);
+    }
+
+    if (!hash) {
+      throw new Error('hash is undefined');
+    }
+
+    return hash;
+  }
+}
+export const poseidon = Poseidon;

package/src/deposit.ts

@@ -0,0 +1,168 @@
+import { Transaction } from '@mysten/sui/transactions';
+import { prove, verify } from './utils';
+import invariant from 'tiny-invariant';
+import { VortexKeypair } from './entities/keypair';
+import { Utxo } from './entities/utxo';
+import {
+  TREASURY_ADDRESS,
+  DEPOSIT_FEE_IN_BASIS_POINTS,
+  BASIS_POINTS,
+  BN254_FIELD_MODULUS,
+} from './constants';
+import { computeExtDataHash } from './utils/ext-data';
+import { fromHex, normalizeSuiAddress } from '@mysten/sui/utils';
+import { bytesToBigInt, reverseBytes, toProveInput } from './utils';
+import { Proof, Action, DepositArgs } from './vortex.types';
+import { Ed25519Keypair } from '@mysten/sui/keypairs/ed25519';
+
+export const deposit = async ({
+  tx = new Transaction(),
+  amount,
+  unspentUtxos = [],
+  vortex,
+  vortexKeypair,
+  merkleTree,
+}: DepositArgs) => {
+  invariant(unspentUtxos.length <= 2, 'Unspent UTXOs must be at most 2');
+  invariant(
+    BN254_FIELD_MODULUS > amount,
+    'Amount must be less than field modulus'
+  );
+
+  const depositFee = (amount * DEPOSIT_FEE_IN_BASIS_POINTS) / BASIS_POINTS;
+
+  invariant(depositFee > 0n, 'Deposit fee must be greater than 0');
+
+  // Deposits we do not need a recipient, so we use a random one.
+  const randomRecipient = normalizeSuiAddress(
+    Ed25519Keypair.generate().toSuiAddress()
+  );
+  const randomVortexKeypair = VortexKeypair.generate();
+
+  // Determine input UTXOs
+  const inputUtxo0 =
+    unspentUtxos.length > 0 && unspentUtxos[0].amount > 0n
+      ? unspentUtxos[0]
+      : new Utxo({
+          amount: 0n,
+          keypair: vortexKeypair,
+        });
+
+  const inputUtxo1 =
+    unspentUtxos.length > 1 && unspentUtxos[1].amount > 0n
+      ? unspentUtxos[1]
+      : new Utxo({
+          amount: 0n,
+          keypair: vortexKeypair,
+        });
+
+  const amountMinusFrontendFee = amount - depositFee;
+  const nextIndex = await vortex.nextIndex();
+
+  // Calculate output UTXO0 amount: if using unspent UTXOs, include their amounts
+  const outputUtxo0 = new Utxo({
+    amount: amountMinusFrontendFee + inputUtxo0.amount + inputUtxo1.amount,
+    index: nextIndex,
+    keypair: vortexKeypair,
+  });
+
+  // Dummy UTXO1 for obfuscation
+  const outputUtxo1 = new Utxo({
+    amount: 0n,
+    index: nextIndex + 1n,
+    keypair: vortexKeypair,
+  });
+
+  const [nullifier0, nullifier1, commitment0, commitment1] = [
+    inputUtxo0.nullifier(),
+    inputUtxo1.nullifier(),
+    outputUtxo0.commitment(),
+    outputUtxo1.commitment(),
+  ];
+
+  const encryptedUtxo0 = VortexKeypair.encryptUtxoFor(
+    outputUtxo0.payload(),
+    vortexKeypair.encryptionKey
+  );
+
+  // UTXO1 is a dummy UTXO for obfuscation, so we use a random Vortex keypair.
+  const encryptedUtxo1 = VortexKeypair.encryptUtxoFor(
+    outputUtxo1.payload(),
+    randomVortexKeypair.encryptionKey
+  );
+
+  const extDataHash = computeExtDataHash({
+    recipient: randomRecipient,
+    value: amountMinusFrontendFee,
+    valueSign: true,
+    // No relayer for deposits
+    relayer: '0x0',
+    relayerFee: 0n,
+    encryptedOutput0: fromHex(encryptedUtxo0),
+    encryptedOutput1: fromHex(encryptedUtxo1),
+  });
+
+  const extDataHashBigInt = bytesToBigInt(reverseBytes(extDataHash));
+
+  // Prepare circuit input
+  const input = toProveInput({
+    merkleTree,
+    publicAmount: amountMinusFrontendFee,
+    extDataHash: extDataHashBigInt,
+    nullifier0,
+    nullifier1,
+    commitment0,
+    commitment1,
+    vortexKeypair,
+    inputUtxo0,
+    inputUtxo1,
+    outputUtxo0,
+    outputUtxo1,
+  });
+
+  const proofJson: string = prove(JSON.stringify(input));
+
+  const proof: Proof = JSON.parse(proofJson);
+
+  invariant(verify(proofJson), 'Proof verification failed');
+
+  const { extData, tx: tx2 } = vortex.newExtData({
+    tx,
+    recipient: randomRecipient,
+    value: amountMinusFrontendFee,
+    action: Action.Deposit,
+    relayer: normalizeSuiAddress('0x0'),
+    relayerFee: 0n,
+    encryptedOutput0: fromHex(encryptedUtxo0),
+    encryptedOutput1: fromHex(encryptedUtxo1),
+  });
+
+  const { proof: moveProof, tx: tx3 } = vortex.newProof({
+    tx: tx2,
+    proofPoints: fromHex('0x' + proof.proofSerializedHex),
+    root: merkleTree.root(),
+    publicValue: amountMinusFrontendFee,
+    action: Action.Deposit,
+    extDataHash: extDataHashBigInt,
+    inputNullifier0: nullifier0,
+    inputNullifier1: nullifier1,
+    outputCommitment0: commitment0,
+    outputCommitment1: commitment1,
+  });
+
+  const [suiCoinDeposit, suiCoinFee] = tx3.splitCoins(tx3.gas, [
+    tx3.pure.u64(amountMinusFrontendFee),
+    tx3.pure.u64(depositFee),
+  ]);
+
+  tx3.transferObjects([suiCoinFee], tx3.pure.address(TREASURY_ADDRESS));
+
+  const { tx: tx4 } = vortex.transact({
+    tx: tx3,
+    proof: moveProof,
+    extData: extData,
+    deposit: suiCoinDeposit,
+  });
+
+  return tx4;
+};

package/src/entities/index.ts

@@ -0,0 +1,3 @@
+export * from './keypair';
+export * from './merkle-tree';
+export * from './utxo';

package/src/entities/keypair.ts

@@ -0,0 +1,262 @@
+import { poseidon1, poseidon3 } from '../crypto';
+import { BN254_FIELD_MODULUS, VORTEX_SIGNATURE_DOMAIN } from '../constants';
+
+import { fromBase64, fromHex, toHex } from '@mysten/sui/utils';
+import { Ed25519Keypair } from '@mysten/sui/keypairs/ed25519';
+import invariant from 'tiny-invariant';
+import { randomBytes } from '@noble/ciphers/utils.js';
+import { x25519 } from '@noble/curves/ed25519.js';
+import { xsalsa20poly1305 } from '@noble/ciphers/salsa.js';
+import { blake2b } from '@noble/hashes/blake2.js';
+
+export interface UtxoPayload {
+  amount: bigint;
+  blinding: bigint;
+  index: bigint;
+}
+
+interface EncryptedMessage {
+  version: string;
+  nonce: string; // base64
+  ephemPublicKey: string; // base64
+  ciphertext: string; // base64
+}
+
+// Sui wallet signature function type
+type SignMessageFn = (message: Uint8Array) => Promise<{
+  signature: string;
+  bytes: string;
+}>;
+
+function packEncryptedMessage(encryptedMessage: EncryptedMessage): string {
+  const nonceBuf = Buffer.from(encryptedMessage.nonce, 'base64');
+  const ephemPublicKeyBuf = Buffer.from(
+    encryptedMessage.ephemPublicKey,
+    'base64'
+  );
+  const ciphertextBuf = Buffer.from(encryptedMessage.ciphertext, 'base64');
+
+  const messageBuff = Buffer.concat([
+    Buffer.alloc(24 - nonceBuf.length),
+    nonceBuf,
+    Buffer.alloc(32 - ephemPublicKeyBuf.length),
+    ephemPublicKeyBuf,
+    ciphertextBuf,
+  ]);
+
+  return '0x' + messageBuff.toString('hex');
+}
+
+function unpackEncryptedMessage(encryptedMessage: string): EncryptedMessage {
+  if (encryptedMessage.slice(0, 2) === '0x') {
+    encryptedMessage = encryptedMessage.slice(2);
+  }
+
+  const messageBuff = Buffer.from(encryptedMessage, 'hex');
+
+  const nonceBuf = messageBuff.subarray(0, 24);
+  const ephemPublicKeyBuf = messageBuff.subarray(24, 56);
+  const ciphertextBuf = messageBuff.subarray(56);
+
+  return {
+    version: 'x25519-xsalsa20-poly1305',
+    nonce: nonceBuf.toString('base64'),
+    ephemPublicKey: ephemPublicKeyBuf.toString('base64'),
+    ciphertext: ciphertextBuf.toString('base64'),
+  };
+}
+
+export class VortexKeypair {
+  privateKey: bigint;
+  publicKey: string;
+  encryptionKey: string; // base64 encoded X25519 public key
+  private x25519PrivateKey: Uint8Array | null;
+
+  constructor(privateKey: bigint) {
+    this.privateKey = privateKey % BN254_FIELD_MODULUS;
+    this.publicKey = poseidon1(this.privateKey).toString();
+
+    const privKeyBytes = this.#getPrivateKeyBytes();
+    this.x25519PrivateKey = blake2b(privKeyBytes, { dkLen: 32 });
+
+    invariant(
+      this.x25519PrivateKey.length === 32,
+      'X25519 private key must be 32 bytes'
+    );
+
+    const x25519PublicKey = x25519.getPublicKey(this.x25519PrivateKey);
+    this.encryptionKey = Buffer.from(x25519PublicKey).toString('base64');
+  }
+
+  static fromSuiPrivateKey(privateKey: string): VortexKeypair {
+    return new VortexKeypair(
+      BigInt('0x' + toHex(fromBase64(privateKey.replace('suiprivkey', ''))))
+    );
+  }
+
+  static generate(): VortexKeypair {
+    const keypair = Ed25519Keypair.generate();
+    return new VortexKeypair(
+      BigInt(
+        '0x' +
+          toHex(fromBase64(keypair.getSecretKey().replace('suiprivkey', '')))
+      )
+    );
+  }
+
+  static fromString(str: string): VortexKeypair {
+    if (str.startsWith('0x')) {
+      str = str.slice(2);
+    }
+
+    invariant(str.length === 128, 'Invalid key length');
+
+    const keypair = Object.create(VortexKeypair.prototype);
+    keypair.privateKey = null;
+    keypair.x25519PrivateKey = null;
+    keypair.publicKey = BigInt('0x' + str.slice(0, 64)).toString();
+    keypair.encryptionKey = Buffer.from(str.slice(64, 128), 'hex').toString(
+      'base64'
+    );
+
+    return keypair;
+  }
+
+  static async fromSuiWallet(
+    suiAddress: string,
+    signMessage: SignMessageFn
+  ): Promise<VortexKeypair> {
+    // Domain-separated message to prevent signature reuse
+    const message = new TextEncoder().encode(
+      `Generate Vortex Keypair\n\nThis signature will be used to derive your Vortex privacy keypair.\n\nAddress: ${suiAddress}\nDomain: ${VORTEX_SIGNATURE_DOMAIN}`
+    );
+
+    const { signature } = await signMessage(message);
+
+    const signatureBytes = fromBase64(signature);
+    const seed = blake2b(signatureBytes, { dkLen: 32 });
+
+    const privateKey = BigInt('0x' + toHex(seed));
+
+    return new VortexKeypair(privateKey);
+  }
+
+  static encryptFor(bytes: Buffer, recipientEncryptionKey: string): string {
+    const ephemeralPrivateKey = randomBytes(32);
+    const ephemeralPublicKey = x25519.getPublicKey(ephemeralPrivateKey);
+
+    const recipientPublicKey = Buffer.from(recipientEncryptionKey, 'base64');
+
+    invariant(
+      recipientPublicKey.length === 32,
+      'Recipient public key must be 32 bytes'
+    );
+
+    const sharedSecret = x25519.getSharedSecret(
+      ephemeralPrivateKey,
+      recipientPublicKey
+    );
+
+    const nonce = randomBytes(24);
+    const cipher = xsalsa20poly1305(sharedSecret, nonce);
+    const ciphertext = cipher.encrypt(bytes);
+
+    const encryptedMessage: EncryptedMessage = {
+      version: 'x25519-xsalsa20-poly1305',
+      nonce: Buffer.from(nonce).toString('base64'),
+      ephemPublicKey: Buffer.from(ephemeralPublicKey).toString('base64'),
+      ciphertext: Buffer.from(ciphertext).toString('base64'),
+    };
+
+    return packEncryptedMessage(encryptedMessage);
+  }
+
+  static encryptUtxoFor(
+    utxo: UtxoPayload,
+    recipientEncryptionKey: string
+  ): string {
+    const utxoString = `${utxo.amount.toString()}|${utxo.blinding.toString()}|${utxo.index.toString()}`;
+    const bytes = Buffer.from(utxoString, 'utf8');
+    return VortexKeypair.encryptFor(bytes, recipientEncryptionKey);
+  }
+
+  decryptUtxo(encryptedData: string): UtxoPayload {
+    const decrypted = this.#decrypt(encryptedData);
+    const decryptedStr = decrypted.toString('utf8');
+    const parts = decryptedStr.split('|');
+
+    invariant(parts.length === 3, 'Invalid UTXO format after decryption');
+
+    return {
+      amount: BigInt(parts[0]),
+      blinding: BigInt(parts[1]),
+      index: BigInt(parts[2]),
+    };
+  }
+
+  sign(commitment: bigint, merklePath: bigint): bigint {
+    invariant(this.privateKey !== null, 'Cannot sign without private key');
+    return poseidon3(this.privateKey, commitment, merklePath);
+  }
+
+  toString(): string {
+    const pubkeyHex = BigInt(this.publicKey).toString(16).padStart(64, '0');
+    const encKeyHex = Buffer.from(this.encryptionKey, 'base64').toString('hex');
+    return '0x' + pubkeyHex + encKeyHex;
+  }
+
+  address(): string {
+    return this.toString();
+  }
+
+  #decrypt(data: string): Buffer {
+    invariant(this.privateKey !== null, 'Cannot decrypt without private key');
+    invariant(
+      this.x25519PrivateKey !== null,
+      'Cannot decrypt without X25519 private key'
+    );
+
+    const encryptedMessage = unpackEncryptedMessage(data);
+
+    const ephemeralPublicKey = Buffer.from(
+      encryptedMessage.ephemPublicKey,
+      'base64'
+    );
+
+    invariant(
+      ephemeralPublicKey.length === 32,
+      'Ephemeral public key must be 32 bytes'
+    );
+
+    // Derive shared secret
+    const sharedSecret = x25519.getSharedSecret(
+      this.x25519PrivateKey,
+      ephemeralPublicKey
+    );
+
+    // Decrypt using XSalsa20-Poly1305
+    const nonce = Buffer.from(encryptedMessage.nonce, 'base64');
+    const ciphertext = Buffer.from(encryptedMessage.ciphertext, 'base64');
+
+    const cipher = xsalsa20poly1305(sharedSecret, nonce);
+    const decrypted = cipher.decrypt(ciphertext);
+
+    return Buffer.from(decrypted);
+  }
+
+  #getPrivateKeyBytes(): Uint8Array {
+    const hex = this.privateKey.toString(16).padStart(64, '0');
+    const bytes = fromHex(hex);
+
+    // Ensure it's exactly 32 bytes
+    if (bytes.length < 32) {
+      const padded = new Uint8Array(32);
+      padded.set(bytes, 32 - bytes.length);
+      return padded;
+    } else if (bytes.length > 32) {
+      return bytes.slice(bytes.length - 32);
+    }
+
+    return bytes;
+  }
+}