# Phase 2, Milestone 1: Wallet Cryptography > Cryptographic operations for CLI wallet **Status**: ✅ Complete **Priority**: High **Application**: `synor-cli` --- ## Overview Implement all cryptographic operations needed for the CLI wallet: mnemonic handling, keypair generation, encryption, and transaction signing. --- ## Tasks ### Task 1.1: Mnemonic Integration - [x] Use synor-crypto Mnemonic for phrase generation - [x] Generate 24-word BIP39 phrases - [x] Implement BIP39 seed derivation - [x] Support optional passphrase - [x] Validate mnemonic words **Files:** - `apps/cli/src/wallet.rs` **Validation:** ```bash ./target/release/synor wallet create # Verify 24 words are displayed # Verify words are from BIP39 wordlist ``` ### Task 1.2: Keypair Generation - [x] Generate Ed25519 keypair from seed - [x] Generate Dilithium3 keypair from seed - [x] Create hybrid keypair structure - [x] Derive addresses from public keys - [x] Support multiple address indices **Files:** - `apps/cli/src/wallet.rs` **Validation:** ```bash ./target/release/synor wallet create ./target/release/synor wallet addresses # Verify address format: synor:qz... ``` ### Task 1.3: Wallet Encryption - [x] Implement AES-256-GCM encryption - [x] Use Argon2id for password-based key derivation - [x] Store encrypted wallet file - [x] Implement wallet unlock - [x] Secure memory handling **Files:** - `apps/cli/src/wallet.rs` **Encryption Parameters:** - Argon2id: m=64MB, t=3, p=4 - AES-256-GCM with random IV - Salt: 32 bytes random **Validation:** ```bash ./target/release/synor wallet create # Enter password cat ~/.synor/wallet.json # Verify encrypted format ``` ### Task 1.4: Transaction Signing - [x] Build transaction from inputs/outputs - [x] Create Ed25519 signature - [x] Create Dilithium3 signature - [x] Combine into hybrid signature - [x] Serialize signed transaction **Files:** - `apps/cli/src/wallet.rs` - `apps/cli/src/commands/send.rs` **Validation:** ```bash ./target/release/synor send synor:qz... 10.0 # Verify transaction is signed and broadcast ``` --- ## Validation ### Validation Commands ```bash # Run wallet tests cargo test -p synor-cli wallet # Test mnemonic roundtrip ./target/release/synor wallet create # Save mnemonic ./target/release/synor wallet recover # Enter same mnemonic # Verify same address ``` ### Validation Agents | Agent | Purpose | |-------|---------| | `code-reviewer` | Review crypto usage | | `silent-failure-hunter` | Check password error handling | ### Cryptographic Validation ```rust // Test deterministic key derivation #[test] fn test_deterministic_keys() { let mnemonic = "abandon abandon abandon..."; let wallet1 = Wallet::from_mnemonic(mnemonic, "")?; let wallet2 = Wallet::from_mnemonic(mnemonic, "")?; assert_eq!(wallet1.address(), wallet2.address()); } // Test signature verification #[test] fn test_hybrid_signature() { let wallet = Wallet::new()?; let message = b"test message"; let signature = wallet.sign(message)?; assert!(wallet.verify(message, &signature)?); } ``` ### Security Checks - [ ] Private keys zeroed after use (zeroize) - [ ] Wallet file has restricted permissions (0600) - [ ] No private key in error messages - [ ] Password not stored in memory after derivation - [ ] Constant-time signature comparison - [ ] Mnemonic display warning shown ### Test Coverage | Component | Coverage Target | |-----------|-----------------| | Mnemonic | >95% | | Keypair | >90% | | Encryption | >90% | | Signing | >95% | --- ## Dependencies - `synor-crypto` - Cryptographic primitives - `zeroize` - Secure memory clearing - `rpassword` - Secure password input --- ## Acceptance Criteria 1. Mnemonic generates valid 24-word phrase 2. Same mnemonic produces same address 3. Wallet file is encrypted at rest 4. Signatures verify correctly 5. All security checks pass --- *Completed: January 2025*