mleku/next.orly.dev
1
0
Fork 1
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

Add Cashu blind signature access tokens (NIP-XX draft)

Browse Source 
Implements privacy-preserving bearer tokens for relay access control using
Cashu-style blind signatures. Tokens prove whitelist membership without
linking issuance to usage.

Features:
- BDHKE crypto primitives (HashToCurve, Blind, Sign, Unblind, Verify)
- Keyset management with weekly rotation
- Token format with kind permissions and scope isolation
- Generic issuer/verifier with pluggable authorization
- HTTP endpoints: POST /cashu/mint, GET /cashu/keysets, GET /cashu/info
- ACL adapter bridging ORLY's access control to Cashu AuthzChecker
- Stateless revocation via ACL re-check on each token use
- Two-token rotation for seamless renewal (max 2 weeks after blacklist)

Configuration:
- ORLY_CASHU_ENABLED: Enable Cashu tokens
- ORLY_CASHU_TOKEN_TTL: Token validity (default: 1 week)
- ORLY_CASHU_SCOPES: Allowed scopes (relay, nip46, blossom, api)
- ORLY_CASHU_REAUTHORIZE: Re-check ACL on each verification

Files:
- pkg/cashu/bdhke/: Core blind signature cryptography
- pkg/cashu/keyset/: Keyset management and rotation
- pkg/cashu/token/: Token format with kind permissions
- pkg/cashu/issuer/: Token issuance with authorization
- pkg/cashu/verifier/: Token verification with middleware
- pkg/interfaces/cashu/: AuthzChecker, KeysetStore interfaces
- pkg/bunker/acl_adapter.go: ORLY ACL integration
- app/handle-cashu.go: HTTP endpoints
- docs/NIP-XX-CASHU-ACCESS-TOKENS.md: Full specification

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ
2025-12-28 11:30:11 +02:00
parent 2eb523c161
commit ea4a54c5e7
18 changed files with 4129 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

293
pkg/cashu/bdhke/bdhke.go Normal file
View File

@@ -0,0 +1,293 @@
// Package bdhke implements Blind Diffie-Hellman Key Exchange for Cashu-style tokens.
// This is the core cryptographic primitive used in ecash blind signatures.
//
// The protocol allows a mint (issuer) to sign a message without knowing what
// it's signing, providing unlinkability between token issuance and redemption.
//
// Protocol overview:
// 1. User creates secret x, computes Y = HashToCurve(x)
// 2. User blinds: B_ = Y + r*G (r is random blinding factor)
// 3. Mint signs: C_ = k*B_ (k is mint's private key)
// 4. User unblinds: C = C_ - r*K (K is mint's public key)
// 5. Token is (x, C) - mint can verify: C == k*HashToCurve(x)
//
// Reference: https://github.com/cashubtc/nuts/blob/main/00.md
package bdhke
import (
"crypto/rand"
"crypto/sha256"
"encoding/binary"
"errors"
"fmt"
"github.com/decred/dcrd/dcrec/secp256k1/v4"
)
// DomainSeparator is prepended to messages before hashing to prevent
// cross-protocol attacks.
const DomainSeparator = "Secp256k1_HashToCurve_Cashu_"
// Errors
var (
ErrHashToCurveFailed = errors.New("bdhke: hash to curve failed after max iterations")
ErrInvalidPoint = errors.New("bdhke: invalid curve point")
ErrInvalidPrivateKey = errors.New("bdhke: invalid private key")
ErrSignatureMismatch = errors.New("bdhke: signature verification failed")
)
// HashToCurve deterministically maps a message to a point on secp256k1.
// Uses the try-and-increment method as specified in Cashu NUT-00.
//
// Algorithm:
// 1. Compute msg_hash = SHA256(domain_separator || message)
// 2. For counter in 0..65536:
// a. Compute hash = SHA256(msg_hash || counter)
// b. Try to parse 02 || hash as compressed point
// c. If valid point, return it
// 3. Fail if no valid point found (extremely unlikely)
func HashToCurve(message []byte) (*secp256k1.PublicKey, error) {
// Hash the message with domain separator
msgHash := sha256.Sum256(append([]byte(DomainSeparator), message...))
// Try up to 65536 iterations (in practice, ~50% chance on first try)
counterBytes := make([]byte, 4)
for counter := uint32(0); counter < 65536; counter++ {
binary.LittleEndian.PutUint32(counterBytes, counter)
// Hash again with counter
toHash := append(msgHash[:], counterBytes...)
hash := sha256.Sum256(toHash)
// Try to parse as compressed point with 02 prefix (even y)
compressed := make([]byte, 33)
compressed[0] = 0x02
copy(compressed[1:], hash[:])
pk, err := secp256k1.ParsePubKey(compressed)
if err == nil {
return pk, nil
}
}
return nil, ErrHashToCurveFailed
}
// BlindResult contains the blinding operation result.
type BlindResult struct {
B *secp256k1.PublicKey // Blinded message B_ = Y + r*G
R *secp256k1.PrivateKey // Blinding factor (keep secret until unblinding)
Y *secp256k1.PublicKey // Original point Y = HashToCurve(secret)
}
// Blind creates a blinded message from a secret.
// The blinding factor r is generated randomly and must be kept secret
// until the signature is received and needs to be unblinded.
//
// B_ = Y + r*G where:
// - Y = HashToCurve(secret)
// - r = random scalar
// - G = generator point
func Blind(secret []byte) (*BlindResult, error) {
// Compute Y = HashToCurve(secret)
Y, err := HashToCurve(secret)
if err != nil {
return nil, fmt.Errorf("blind: %w", err)
}
// Generate random blinding factor r
rBytes := make([]byte, 32)
if _, err := rand.Read(rBytes); err != nil {
return nil, fmt.Errorf("blind: failed to generate random: %w", err)
}
r := secp256k1.PrivKeyFromBytes(rBytes)
// Compute r*G (blinding factor times generator)
rG := new(secp256k1.JacobianPoint)
secp256k1.ScalarBaseMultNonConst(&r.Key, rG)
// Convert Y to Jacobian
yJ := new(secp256k1.JacobianPoint)
Y.AsJacobian(yJ)
// Compute B_ = Y + r*G
bJ := new(secp256k1.JacobianPoint)
secp256k1.AddNonConst(yJ, rG, bJ)
bJ.ToAffine()
// Convert back to PublicKey
B := secp256k1.NewPublicKey(&bJ.X, &bJ.Y)
return &BlindResult{
B: B,
R: r,
Y: Y,
}, nil
}
// BlindWithFactor creates a blinded message using a provided blinding factor.
// This is useful for testing or when the blinding factor needs to be deterministic.
func BlindWithFactor(secret []byte, rBytes []byte) (*BlindResult, error) {
if len(rBytes) != 32 {
return nil, errors.New("blind: blinding factor must be 32 bytes")
}
// Compute Y = HashToCurve(secret)
Y, err := HashToCurve(secret)
if err != nil {
return nil, fmt.Errorf("blind: %w", err)
}
r := secp256k1.PrivKeyFromBytes(rBytes)
// Compute r*G
rG := new(secp256k1.JacobianPoint)
secp256k1.ScalarBaseMultNonConst(&r.Key, rG)
// Convert Y to Jacobian
yJ := new(secp256k1.JacobianPoint)
Y.AsJacobian(yJ)
// Compute B_ = Y + r*G
bJ := new(secp256k1.JacobianPoint)
secp256k1.AddNonConst(yJ, rG, bJ)
bJ.ToAffine()
B := secp256k1.NewPublicKey(&bJ.X, &bJ.Y)
return &BlindResult{
B: B,
R: r,
Y: Y,
}, nil
}
// Sign creates a blinded signature on a blinded message.
// This is performed by the mint using its private key k.
//
// C_ = k * B_ where:
// - k = mint's private key scalar
// - B_ = blinded message from user
func Sign(B *secp256k1.PublicKey, k *secp256k1.PrivateKey) (*secp256k1.PublicKey, error) {
if B == nil || k == nil {
return nil, ErrInvalidPoint
}
// Convert B to Jacobian
bJ := new(secp256k1.JacobianPoint)
B.AsJacobian(bJ)
// Compute C_ = k * B_
cJ := new(secp256k1.JacobianPoint)
secp256k1.ScalarMultNonConst(&k.Key, bJ, cJ)
cJ.ToAffine()
C := secp256k1.NewPublicKey(&cJ.X, &cJ.Y)
return C, nil
}
// Unblind removes the blinding factor from the signature.
// This is performed by the user after receiving the blinded signature.
//
// C = C_ - r*K where:
// - C_ = blinded signature from mint
// - r = original blinding factor
// - K = mint's public key
func Unblind(C_ *secp256k1.PublicKey, r *secp256k1.PrivateKey, K *secp256k1.PublicKey) (*secp256k1.PublicKey, error) {
if C_ == nil || r == nil || K == nil {
return nil, ErrInvalidPoint
}
// Compute r*K
kJ := new(secp256k1.JacobianPoint)
K.AsJacobian(kJ)
rK := new(secp256k1.JacobianPoint)
secp256k1.ScalarMultNonConst(&r.Key, kJ, rK)
// Negate r*K to get -r*K
rK.Y.Negate(1)
rK.Y.Normalize()
// Convert C_ to Jacobian
c_J := new(secp256k1.JacobianPoint)
C_.AsJacobian(c_J)
// Compute C = C_ + (-r*K) = C_ - r*K
cJ := new(secp256k1.JacobianPoint)
secp256k1.AddNonConst(c_J, rK, cJ)
cJ.ToAffine()
C := secp256k1.NewPublicKey(&cJ.X, &cJ.Y)
return C, nil
}
// Verify checks that a token's signature is valid.
// The mint uses this to verify tokens during redemption.
//
// Checks: C == k * HashToCurve(secret) where:
// - C = unblinded signature from token
// - k = mint's private key
// - secret = token's secret value
func Verify(secret []byte, C *secp256k1.PublicKey, k *secp256k1.PrivateKey) (bool, error) {
if C == nil || k == nil {
return false, ErrInvalidPoint
}
// Compute Y = HashToCurve(secret)
Y, err := HashToCurve(secret)
if err != nil {
return false, err
}
// Compute expected = k * Y
yJ := new(secp256k1.JacobianPoint)
Y.AsJacobian(yJ)
expectedJ := new(secp256k1.JacobianPoint)
secp256k1.ScalarMultNonConst(&k.Key, yJ, expectedJ)
expectedJ.ToAffine()
expected := secp256k1.NewPublicKey(&expectedJ.X, &expectedJ.Y)
// Compare C with expected
return C.IsEqual(expected), nil
}
// VerifyWithPublicKey verifies a token without knowing the private key.
// This requires a DLEQ proof (not yet implemented).
// For now, returns error indicating this is not supported.
func VerifyWithPublicKey(secret []byte, C *secp256k1.PublicKey, K *secp256k1.PublicKey) (bool, error) {
return false, errors.New("bdhke: DLEQ proof verification not implemented")
}
// GenerateKeypair generates a new mint keypair.
func GenerateKeypair() (*secp256k1.PrivateKey, *secp256k1.PublicKey, error) {
keyBytes := make([]byte, 32)
if _, err := rand.Read(keyBytes); err != nil {
return nil, nil, fmt.Errorf("generate keypair: %w", err)
}
privKey := secp256k1.PrivKeyFromBytes(keyBytes)
pubKey := privKey.PubKey()
return privKey, pubKey, nil
}
// SecretFromBytes creates a secret suitable for token issuance.
// The secret should be 32 bytes of random data.
func SecretFromBytes(data []byte) []byte {
// Just return a copy - secrets are arbitrary byte strings
secret := make([]byte, len(data))
copy(secret, data)
return secret
}
// GenerateSecret creates a new random 32-byte secret.
func GenerateSecret() ([]byte, error) {
secret := make([]byte, 32)
if _, err := rand.Read(secret); err != nil {
return nil, fmt.Errorf("generate secret: %w", err)
}
return secret, nil
}

348
pkg/cashu/bdhke/bdhke_test.go Normal file
View File

@@ -0,0 +1,348 @@
package bdhke
import (
"bytes"
"encoding/hex"
"testing"
"github.com/decred/dcrd/dcrec/secp256k1/v4"
)
// Test vectors from Cashu NUT-00 specification
// https://github.com/cashubtc/nuts/blob/main/00.md
func TestHashToCurve(t *testing.T) {
tests := []struct {
name string
message string
expected string // Expected compressed public key in hex
}{
{
name: "test vector 1",
message: "0000000000000000000000000000000000000000000000000000000000000000",
expected: "024cce997d3b518f739663b757deaec95bcd9473c30a14ac2fd04023a739d1a725",
},
{
name: "test vector 2",
message: "0000000000000000000000000000000000000000000000000000000000000001",
expected: "022e7158e11c9506f1aa4248bf531298daa7febd6194f003edcd9b93ade6253acf",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
msgBytes, err := hex.DecodeString(tt.message)
if err != nil {
t.Fatalf("failed to decode message: %v", err)
}
point, err := HashToCurve(msgBytes)
if err != nil {
t.Fatalf("HashToCurve failed: %v", err)
}
got := hex.EncodeToString(point.SerializeCompressed())
if got != tt.expected {
t.Errorf("HashToCurve(%s) = %s, want %s", tt.message, got, tt.expected)
}
})
}
}
func TestBlindSignUnblindVerify(t *testing.T) {
// Generate mint keypair
k, K, err := GenerateKeypair()
if err != nil {
t.Fatalf("failed to generate keypair: %v", err)
}
// Generate a secret
secret, err := GenerateSecret()
if err != nil {
t.Fatalf("failed to generate secret: %v", err)
}
// User blinds the secret
blindResult, err := Blind(secret)
if err != nil {
t.Fatalf("Blind failed: %v", err)
}
// Mint signs the blinded message
C_, err := Sign(blindResult.B, k)
if err != nil {
t.Fatalf("Sign failed: %v", err)
}
// User unblinds the signature
C, err := Unblind(C_, blindResult.R, K)
if err != nil {
t.Fatalf("Unblind failed: %v", err)
}
// Verify the token
valid, err := Verify(secret, C, k)
if err != nil {
t.Fatalf("Verify failed: %v", err)
}
if !valid {
t.Error("Verify returned false, expected true")
}
}
func TestVerifyWrongSecret(t *testing.T) {
k, K, _ := GenerateKeypair()
secret1, _ := GenerateSecret()
secret2, _ := GenerateSecret()
// Create token with secret1
blindResult, _ := Blind(secret1)
C_, _ := Sign(blindResult.B, k)
C, _ := Unblind(C_, blindResult.R, K)
// Try to verify with secret2
valid, err := Verify(secret2, C, k)
if err != nil {
t.Fatalf("Verify failed: %v", err)
}
if valid {
t.Error("Verify returned true for wrong secret")
}
}
func TestVerifyWrongKey(t *testing.T) {
k1, K1, _ := GenerateKeypair()
k2, _, _ := GenerateKeypair()
secret, _ := GenerateSecret()
// Create token with k1
blindResult, _ := Blind(secret)
C_, _ := Sign(blindResult.B, k1)
C, _ := Unblind(C_, blindResult.R, K1)
// Try to verify with k2
valid, err := Verify(secret, C, k2)
if err != nil {
t.Fatalf("Verify failed: %v", err)
}
if valid {
t.Error("Verify returned true for wrong key")
}
}
func TestBlindWithFactor(t *testing.T) {
k, K, _ := GenerateKeypair()
secret := []byte("test secret message")
// Use deterministic blinding factor
rBytes := make([]byte, 32)
for i := range rBytes {
rBytes[i] = byte(i)
}
blindResult, err := BlindWithFactor(secret, rBytes)
if err != nil {
t.Fatalf("BlindWithFactor failed: %v", err)
}
// Complete the protocol
C_, _ := Sign(blindResult.B, k)
C, _ := Unblind(C_, blindResult.R, K)
valid, _ := Verify(secret, C, k)
if !valid {
t.Error("BlindWithFactor: verification failed")
}
// Do it again with same factor - should get same B
blindResult2, _ := BlindWithFactor(secret, rBytes)
if !bytes.Equal(blindResult.B.SerializeCompressed(), blindResult2.B.SerializeCompressed()) {
t.Error("BlindWithFactor not deterministic")
}
}
func TestHashToCurveDeterministic(t *testing.T) {
message := []byte("deterministic test")
p1, err := HashToCurve(message)
if err != nil {
t.Fatalf("HashToCurve failed: %v", err)
}
p2, err := HashToCurve(message)
if err != nil {
t.Fatalf("HashToCurve failed: %v", err)
}
if !p1.IsEqual(p2) {
t.Error("HashToCurve not deterministic")
}
}
func TestSignNilInputs(t *testing.T) {
k, _, _ := GenerateKeypair()
_, err := Sign(nil, k)
if err == nil {
t.Error("Sign(nil, k) should error")
}
B, _ := HashToCurve([]byte("test"))
_, err = Sign(B, nil)
if err == nil {
t.Error("Sign(B, nil) should error")
}
}
func TestUnblindNilInputs(t *testing.T) {
k, K, _ := GenerateKeypair()
secret, _ := GenerateSecret()
blindResult, _ := Blind(secret)
C_, _ := Sign(blindResult.B, k)
_, err := Unblind(nil, blindResult.R, K)
if err == nil {
t.Error("Unblind(nil, r, K) should error")
}
_, err = Unblind(C_, nil, K)
if err == nil {
t.Error("Unblind(C_, nil, K) should error")
}
_, err = Unblind(C_, blindResult.R, nil)
if err == nil {
t.Error("Unblind(C_, r, nil) should error")
}
}
func TestVerifyNilInputs(t *testing.T) {
k, K, _ := GenerateKeypair()
secret, _ := GenerateSecret()
blindResult, _ := Blind(secret)
C_, _ := Sign(blindResult.B, k)
C, _ := Unblind(C_, blindResult.R, K)
_, err := Verify(secret, nil, k)
if err == nil {
t.Error("Verify(secret, nil, k) should error")
}
_, err = Verify(secret, C, nil)
if err == nil {
t.Error("Verify(secret, C, nil) should error")
}
}
// Benchmark functions
func BenchmarkHashToCurve(b *testing.B) {
secret, _ := GenerateSecret()
b.ResetTimer()
for i := 0; i < b.N; i++ {
HashToCurve(secret)
}
}
func BenchmarkBlind(b *testing.B) {
secret, _ := GenerateSecret()
b.ResetTimer()
for i := 0; i < b.N; i++ {
Blind(secret)
}
}
func BenchmarkSign(b *testing.B) {
k, _, _ := GenerateKeypair()
secret, _ := GenerateSecret()
blindResult, _ := Blind(secret)
b.ResetTimer()
for i := 0; i < b.N; i++ {
Sign(blindResult.B, k)
}
}
func BenchmarkUnblind(b *testing.B) {
k, K, _ := GenerateKeypair()
secret, _ := GenerateSecret()
blindResult, _ := Blind(secret)
C_, _ := Sign(blindResult.B, k)
b.ResetTimer()
for i := 0; i < b.N; i++ {
Unblind(C_, blindResult.R, K)
}
}
func BenchmarkVerify(b *testing.B) {
k, K, _ := GenerateKeypair()
secret, _ := GenerateSecret()
blindResult, _ := Blind(secret)
C_, _ := Sign(blindResult.B, k)
C, _ := Unblind(C_, blindResult.R, K)
b.ResetTimer()
for i := 0; i < b.N; i++ {
Verify(secret, C, k)
}
}
func BenchmarkFullProtocol(b *testing.B) {
k, K, _ := GenerateKeypair()
b.ResetTimer()
for i := 0; i < b.N; i++ {
secret, _ := GenerateSecret()
blindResult, _ := Blind(secret)
C_, _ := Sign(blindResult.B, k)
C, _ := Unblind(C_, blindResult.R, K)
Verify(secret, C, k)
}
}
// Test that serialization/deserialization works correctly
func TestPointSerialization(t *testing.T) {
k, K, _ := GenerateKeypair()
secret, _ := GenerateSecret()
blindResult, _ := Blind(secret)
C_, _ := Sign(blindResult.B, k)
C, _ := Unblind(C_, blindResult.R, K)
// Serialize and deserialize C
serialized := C.SerializeCompressed()
deserialized, err := secp256k1.ParsePubKey(serialized)
if err != nil {
t.Fatalf("failed to parse serialized point: %v", err)
}
// Verify with deserialized point
valid, err := Verify(secret, deserialized, k)
if err != nil {
t.Fatalf("Verify failed: %v", err)
}
if !valid {
t.Error("Verify failed after point serialization round-trip")
}
// Same for K
kSerialized := K.SerializeCompressed()
kDeserialized, err := secp256k1.ParsePubKey(kSerialized)
if err != nil {
t.Fatalf("failed to parse serialized K: %v", err)
}
// Unblind with deserialized K
C2, err := Unblind(C_, blindResult.R, kDeserialized)
if err != nil {
t.Fatalf("Unblind with deserialized K failed: %v", err)
}
if !C.IsEqual(C2) {
t.Error("Unblind result differs after K round-trip")
}
}