UNPKG

zero-sight-protocol

Version:

A secure, zero-knowledge, PIN-based encryption protocol for custodial Web3 wallets.

github.com/dejaguarkyng/zsp

dejaguarkyng/zsp

68 lines (55 loc) 2.13 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
import { generateOtp, verifyOtp } from './otpManager.js'; import { deriveKey } from '../key/deriveKey.js'; import { encrypt } from '../crypto/encrypt.js'; import { decrypt } from '../crypto/decrypt.js'; import { generateSalt } from '../key/entropy.js'; // In-memory temporary store (use DB in production) const recoverySessions = new Map(); // key: email+phone, value: { encryptedWallet, salt } function combineSecret(email, phone) { return `${email}:${phone}`; } /** * Step 1: Initiate recovery — generate OTPs and store session. */ export async function initiateRecovery(email, phone, encryptedWallet, salt) { const otpEmail = generateOtp(email); const otpSMS = generateOtp(phone); const recoveryKey = combineSecret(email, phone); recoverySessions.set(recoveryKey, { encryptedWallet, salt }); return { otpEmail, otpSMS }; } /** * Step 2: Verify both OTPs before allowing PIN reset. */ export function verifyRecovery(email, phone, emailOtp, smsOtp) { const isEmailValid = verifyOtp(email, emailOtp); const isSMSValid = verifyOtp(phone, smsOtp); return isEmailValid && isSMSValid; } /** * Step 3: Reset PIN securely by decrypting with recovery secret and re-encrypting. */ export async function resetPin(email, phone, newPin) { const recoveryKey = combineSecret(email, phone); const session = recoverySessions.get(recoveryKey); if (!session) throw new Error('No recovery session found.'); const { encryptedWallet, salt } = session; // Derive recovery key from email+phone const recoveryDerivedKey = await deriveKey(recoveryKey, salt); const decryptedWallet = decrypt( recoveryDerivedKey, encryptedWallet.iv, encryptedWallet.ciphertext, encryptedWallet.tag ); // Derive new PIN key and re-encrypt const newSalt = generateSalt(); const newPinKey = await deriveKey(newPin, newSalt); const reEncrypted = encrypt(newPinKey, decryptedWallet); // Cleanup recoverySessions.delete(recoveryKey); return { newEncryptedWallet: reEncrypted, newSalt: newSalt.toString('hex') }; }