[draft] Vectors

nucypher-core-wasm/tests/wasm.rs

@@ -612,7 +612,7 @@ fn fleet_state_checksum_to_bytes() {
     let fleet_state_checksum = make_fleet_state_checksum();
 
     assert!(
-        fleet_state_checksum.to_bytes().len() > 0,
+        !fleet_state_checksum.to_bytes().is_empty(),
         "FleetStateChecksum does not serialize to bytes"
     );
 }

nucypher-core/Cargo.toml

@@ -13,6 +13,8 @@ categories = ["cryptography", "no-std"]
 umbral-pre = { version = "0.11.0", features = ["serde"] }
 ferveo = { package = "ferveo-pre-release", version = "0.3.0" }
 serde = { version = "1", default-features = false, features = ["derive"] }
+serde_json = "1.0"
+serde-encoded-bytes = "0.1"
 generic-array = { version = "0.14", features = ["zeroize"] }
 sha3 = "0.10"
 rmp-serde = "1"
@@ -26,3 +28,13 @@ zeroize = { version = "1.6.0", features = ["derive"] }
 rand_core = "0.6.4"
 rand_chacha = "0.3.1"
 rand = "0.8.5"
+
+[features]
+default = []
+deterministic_encryption = []
+test_vectors = ["deterministic_encryption"]
+
+[[bin]]
+name = "generate-test-vectors"
+path = "src/bin/generate_test_vectors.rs"
+required-features = ["deterministic_encryption", "test_vectors"]

nucypher-core/src/access_control.rs

@@ -43,7 +43,7 @@ impl AuthenticatedData {
     }
 }
 
-impl<'a> ProtocolObjectInner<'a> for AuthenticatedData {
+impl ProtocolObjectInner<'_> for AuthenticatedData {
     fn version() -> (u16, u16) {
         (1, 0)
     }
@@ -65,7 +65,7 @@ impl<'a> ProtocolObjectInner<'a> for AuthenticatedData {
     }
 }
 
-impl<'a> ProtocolObject<'a> for AuthenticatedData {}
+impl ProtocolObject<'_> for AuthenticatedData {}
 
 /// Encrypt data based on conditions and dkg public key.
 pub fn encrypt_for_dkg(
@@ -118,7 +118,7 @@ impl AccessControlPolicy {
     }
 }
 
-impl<'a> ProtocolObjectInner<'a> for AccessControlPolicy {
+impl ProtocolObjectInner<'_> for AccessControlPolicy {
     fn version() -> (u16, u16) {
         (1, 0)
     }
@@ -140,7 +140,7 @@ impl<'a> ProtocolObjectInner<'a> for AccessControlPolicy {
     }
 }
 
-impl<'a> ProtocolObject<'a> for AccessControlPolicy {}
+impl ProtocolObject<'_> for AccessControlPolicy {}
 
 #[cfg(test)]
 mod tests {

nucypher-core/src/bin/generate_test_vectors.rs

@@ -0,0 +1,20 @@
+use std::fs;
+use std::path::Path;
+use nucypher_core::test_vectors::{TestVector, generate_test_vectors};
+
+// Usage: cargo run --bin generate-test-vectors --features test_vectors deterministic_encryption
+fn main() {
+    // Generate test vectors
+    let test_vectors: Vec<TestVector> = generate_test_vectors();
+
+    // Create output directory if it doesn't exist
+    let output_dir = Path::new("test_vectors");
+    fs::create_dir_all(output_dir).expect("Failed to create output directory");
+
+    // Save all test vectors to a single file
+    let filename = "test_vectors/encrypt_with_shared_secret.json";
+    let json = serde_json::to_string_pretty(&test_vectors).expect("Failed to serialize test vectors");
+    fs::write(filename, json).expect("Failed to write test vectors to file");
+
+    println!("Generated {} test vectors in '{}'", test_vectors.len(), filename);
+} 

nucypher-core/src/dkg.rs

@@ -1,17 +1,19 @@
 use alloc::boxed::Box;
 use alloc::string::String;
+use alloc::vec::Vec;
 use core::fmt;
 
-use chacha20poly1305::aead::{Aead, AeadCore, KeyInit, OsRng};
+use chacha20poly1305::aead::{Aead, AeadCore, KeyInit};
 use chacha20poly1305::{ChaCha20Poly1305, Key, Nonce};
 use ferveo::api::{CiphertextHeader, FerveoVariant};
 use generic_array::typenum::Unsigned;
-use serde::{Deserialize, Serialize};
+use rand_core::{CryptoRng, RngCore};
+use serde::{Deserialize, Deserializer, Serialize, Serializer};
 use umbral_pre::serde_bytes; // TODO should this be in umbral?
 
 use crate::access_control::AccessControlPolicy;
 use crate::conditions::Context;
-use crate::dkg::session::{SessionSharedSecret, SessionStaticKey};
+use crate::dkg::session::{SessionSecretFactory, SessionSharedSecret, SessionStaticKey};
 use crate::versioning::{
     messagepack_deserialize, messagepack_serialize, DeserializationError, ProtocolObject,
     ProtocolObjectInner,
@@ -64,16 +66,40 @@ impl fmt::Display for DecryptionError {
 
 type NonceSize = <ChaCha20Poly1305 as AeadCore>::NonceSize;
 
-fn encrypt_with_shared_secret(
+#[cfg(not(feature = "deterministic_encryption"))]
+pub fn generate_encryption_nonce() -> Nonce {
+    use chacha20poly1305::aead::OsRng;
+    ChaCha20Poly1305::generate_nonce(&mut OsRng)
+}
+
+#[cfg(feature = "deterministic_encryption")]
+pub fn generate_encryption_nonce() -> Nonce {
+    use rand::rngs::StdRng;
+    use rand::SeedableRng;
+    let rng = <StdRng as SeedableRng>::from_seed([0u8; 32]); // TODO: Note that this seed is currently fixed for all tests
+    ChaCha20Poly1305::generate_nonce(rng)
+}
+
+/// Encrypts data using a shared secret with the default OS RNG.
+pub fn encrypt_with_shared_secret(
     shared_secret: &SessionSharedSecret,
     plaintext: &[u8],
+) -> Result<Box<[u8]>, EncryptionError> {
+    let nonce = generate_encryption_nonce();
+    encrypt_with_shared_secret_and_nonce(shared_secret, &nonce, plaintext)
+}
+
+/// Encrypts data using a shared secret with a custom nonce.
+fn encrypt_with_shared_secret_and_nonce(
+    shared_secret: &SessionSharedSecret,
+    nonce: &Nonce,
+    plaintext: &[u8],
 ) -> Result<Box<[u8]>, EncryptionError> {
     let key = Key::from_slice(shared_secret.as_ref());
     let cipher = ChaCha20Poly1305::new(key);
-    let nonce = ChaCha20Poly1305::generate_nonce(&mut OsRng);
     let mut result = nonce.to_vec();
     let ciphertext = cipher
-        .encrypt(&nonce, plaintext.as_ref())
+        .encrypt(nonce, plaintext.as_ref())
         .map_err(|_err| EncryptionError::PlaintextTooLarge)?;
     result.extend(ciphertext);
     Ok(result.into_boxed_slice())
@@ -210,7 +236,7 @@ pub mod session {
         }
     }
 
-    impl<'a> ProtocolObjectInner<'a> for SessionStaticKey {
+    impl ProtocolObjectInner<'_> for SessionStaticKey {
         fn version() -> (u16, u16) {
             (2, 0)
         }
@@ -235,7 +261,7 @@ pub mod session {
         }
     }
 
-    impl<'a> ProtocolObject<'a> for SessionStaticKey {}
+    impl ProtocolObject<'_> for SessionStaticKey {}
 
     /// A session secret key.
     #[derive(ZeroizeOnDrop)]
@@ -391,7 +417,7 @@ impl ThresholdDecryptionRequest {
     }
 }
 
-impl<'a> ProtocolObjectInner<'a> for ThresholdDecryptionRequest {
+impl ProtocolObjectInner<'_> for ThresholdDecryptionRequest {
     fn version() -> (u16, u16) {
         (4, 0)
     }
@@ -413,7 +439,7 @@ impl<'a> ProtocolObjectInner<'a> for ThresholdDecryptionRequest {
     }
 }
 
-impl<'a> ProtocolObject<'a> for ThresholdDecryptionRequest {}
+impl ProtocolObject<'_> for ThresholdDecryptionRequest {}
 
 /// An encrypted request for an Ursula to derive a decryption share.
 #[derive(PartialEq, Debug, Clone, Serialize, Deserialize)]
@@ -456,7 +482,7 @@ impl EncryptedThresholdDecryptionRequest {
     }
 }
 
-impl<'a> ProtocolObjectInner<'a> for EncryptedThresholdDecryptionRequest {
+impl ProtocolObjectInner<'_> for EncryptedThresholdDecryptionRequest {
     fn version() -> (u16, u16) {
         (2, 0)
     }
@@ -478,7 +504,7 @@ impl<'a> ProtocolObjectInner<'a> for EncryptedThresholdDecryptionRequest {
     }
 }
 
-impl<'a> ProtocolObject<'a> for EncryptedThresholdDecryptionRequest {}
+impl ProtocolObject<'_> for EncryptedThresholdDecryptionRequest {}
 
 /// A response from Ursula with a derived decryption share.
 #[derive(PartialEq, Eq, Debug, Serialize, Deserialize, Clone)]
@@ -509,7 +535,7 @@ impl ThresholdDecryptionResponse {
     }
 }
 
-impl<'a> ProtocolObjectInner<'a> for ThresholdDecryptionResponse {
+impl ProtocolObjectInner<'_> for ThresholdDecryptionResponse {
     fn version() -> (u16, u16) {
         (2, 0)
     }
@@ -531,7 +557,7 @@ impl<'a> ProtocolObjectInner<'a> for ThresholdDecryptionResponse {
     }
 }
 
-impl<'a> ProtocolObject<'a> for ThresholdDecryptionResponse {}
+impl ProtocolObject<'_> for ThresholdDecryptionResponse {}
 
 /// An encrypted response from Ursula with a derived decryption share.
 #[derive(PartialEq, Debug, Clone, Serialize, Deserialize)]
@@ -567,7 +593,7 @@ impl EncryptedThresholdDecryptionResponse {
     }
 }
 
-impl<'a> ProtocolObjectInner<'a> for EncryptedThresholdDecryptionResponse {
+impl ProtocolObjectInner<'_> for EncryptedThresholdDecryptionResponse {
     fn version() -> (u16, u16) {
         (2, 0)
     }
@@ -589,25 +615,42 @@ impl<'a> ProtocolObjectInner<'a> for EncryptedThresholdDecryptionResponse {
     }
 }
 
-impl<'a> ProtocolObject<'a> for EncryptedThresholdDecryptionResponse {}
+impl ProtocolObject<'_> for EncryptedThresholdDecryptionResponse {}
 
 #[cfg(test)]
 mod tests {
+    use crate::dkg::session::{
+        SessionSecretFactory, SessionSharedSecret, SessionStaticKey, SessionStaticSecret,
+    };
+    use crate::dkg::{
+        decrypt_with_shared_secret, encrypt_with_shared_secret, DecryptionError,
+        EncryptedThresholdDecryptionRequest, EncryptedThresholdDecryptionResponse, NonceSize,
+        ThresholdDecryptionRequest, ThresholdDecryptionResponse,
+    };
+    #[cfg(feature = "test_vectors")]
+    use crate::test_vectors::{TestVector, create_session_shared_secret_from_seed, generate_test_vectors};
+    use crate::{AuthenticatedData, Conditions};
+    use alloc::boxed::Box;
+    #[cfg(feature = "test_vectors")]
+    use alloc::format;
+    #[cfg(feature = "test_vectors")]
+    use alloc::string::String;
+    use alloc::vec;
+    use core::clone::Clone;
     use ferveo::api::{encrypt as ferveo_encrypt, DkgPublicKey, FerveoVariant, SecretBox};
     use generic_array::typenum::Unsigned;
+    use rand::rngs::StdRng;
+    use rand::SeedableRng;
     use rand_core::RngCore;
+    use serde::{Deserialize, Serialize};
+    use serde_json;
+    use x25519_dalek::{PublicKey, StaticSecret};
 
     use crate::access_control::AccessControlPolicy;
-    use crate::conditions::{Conditions, Context};
-    use crate::dkg::session::SessionStaticSecret;
-    use crate::dkg::{
-        decrypt_with_shared_secret, encrypt_with_shared_secret, DecryptionError, NonceSize,
-    };
-    use crate::versioning::{ProtocolObject, ProtocolObjectInner};
-    use crate::{
-        AuthenticatedData, EncryptedThresholdDecryptionRequest,
-        EncryptedThresholdDecryptionResponse, SessionSecretFactory, SessionStaticKey,
-        ThresholdDecryptionRequest, ThresholdDecryptionResponse,
+    use crate::conditions::Context;
+    use crate::versioning::{
+        messagepack_deserialize, messagepack_serialize, DeserializationError, ProtocolObject,
+        ProtocolObjectInner,
     };
 
     #[test]
@@ -832,4 +875,55 @@ mod tests {
             .decrypt(&random_shared_secret)
             .is_err());
     }
+
+    #[test]
+    #[cfg(feature = "deterministic_encryption")]
+    fn test_encryption_deterministic() {
+        use crate::dkg::session::SessionSharedSecret;
+        use rand::rngs::StdRng;
+        use rand_core::SeedableRng;
+        use x25519_dalek::{PublicKey, StaticSecret};
+
+        // Create a test session_shared_secret and test plaintext
+        let mut rng0 = <StdRng as SeedableRng>::from_seed([0u8; 32]);
+        let static_secret_a = StaticSecret::random_from_rng(&mut rng0);
+        let static_secret_b = StaticSecret::random_from_rng(&mut rng0);
+        let public_key_b = PublicKey::from(&static_secret_b);
+        let shared_secret = static_secret_a.diffie_hellman(&public_key_b);
+        let session_shared_secret = SessionSharedSecret::new(shared_secret);
+
+        let plaintext = b"test data";
+
+        // Use a seeded RNG for deterministic testing on encryption
+        let ciphertext1 = encrypt_with_shared_secret(&session_shared_secret, plaintext).unwrap();
+
+        // Reset the RNG with the same seed
+        let ciphertext2 = encrypt_with_shared_secret(&session_shared_secret, plaintext).unwrap();
+
+        // The ciphertexts will be identical because we used the same seed
+        assert_eq!(ciphertext1, ciphertext2);
+    }
+
+    #[test]
+    #[cfg(feature = "test_vectors")]
+    fn test_encryption_vectors() {
+        let test_vectors = generate_test_vectors();
+
+        // Verify each test vector
+        for vector in test_vectors {
+            let session_shared_secret = create_session_shared_secret_from_seed(vector.seed);
+            assert_eq!(session_shared_secret.as_ref(), vector.session_shared_secret);
+
+            // Verify decryption works
+            let decrypted = decrypt_with_shared_secret(&session_shared_secret, &vector.ciphertext)
+                .expect("Decryption failed");
+            assert_eq!(decrypted.as_ref(), vector.plaintext.as_slice());
+
+            // Verify encryption is deterministic
+            let new_ciphertext =
+                encrypt_with_shared_secret(&session_shared_secret, &vector.plaintext)
+                    .expect("Encryption failed");
+            assert_eq!(new_ciphertext, vector.ciphertext);
+        }
+    }
 }

nucypher-core/src/fleet_state.rs

@@ -37,7 +37,7 @@ impl FleetStateChecksum {
                 // so this may lead to unnecessary fleet state update.
                 // But, unlike ProtocolObject::to_bytes(), payload serialization
                 // is not standardized, so it is better not to rely on it.
-                digest.chain(&node.to_bytes())
+                digest.chain(node.to_bytes())
             })
             .finalize();
 

nucypher-core/src/key_frag.rs

@@ -52,7 +52,7 @@ impl AuthorizedKeyFrag {
     }
 }
 
-impl<'a> ProtocolObjectInner<'a> for AuthorizedKeyFrag {
+impl ProtocolObjectInner<'_> for AuthorizedKeyFrag {
     fn brand() -> [u8; 4] {
         *b"AKFr"
     }
@@ -74,7 +74,7 @@ impl<'a> ProtocolObjectInner<'a> for AuthorizedKeyFrag {
     }
 }
 
-impl<'a> ProtocolObject<'a> for AuthorizedKeyFrag {}
+impl ProtocolObject<'_> for AuthorizedKeyFrag {}
 
 #[allow(clippy::enum_variant_names)]
 #[derive(Debug)]
@@ -144,7 +144,7 @@ impl EncryptedKeyFrag {
     }
 }
 
-impl<'a> ProtocolObjectInner<'a> for EncryptedKeyFrag {
+impl ProtocolObjectInner<'_> for EncryptedKeyFrag {
     fn brand() -> [u8; 4] {
         *b"EKFr"
     }
@@ -166,4 +166,4 @@ impl<'a> ProtocolObjectInner<'a> for EncryptedKeyFrag {
     }
 }
 
-impl<'a> ProtocolObject<'a> for EncryptedKeyFrag {}
+impl ProtocolObject<'_> for EncryptedKeyFrag {}