serai/crypto/dleq/src/cross_group/mod.rs

use thiserror::Error;
use rand_core::{RngCore, CryptoRng};

use transcript::Transcript;

use group::{ff::{PrimeField, PrimeFieldBits}, prime::PrimeGroup};

use crate::Generators;

pub mod scalar;

pub(crate) mod schnorr;
use schnorr::SchnorrPoK;

mod bits;
use bits::{RingSignature, Bits};

pub mod linear;

#[cfg(feature = "serialize")]
use std::io::Read;

#[cfg(feature = "serialize")]
pub(crate) fn read_point<R: Read, G: PrimeGroup>(r: &mut R) -> std::io::Result<G> {
  let mut repr = G::Repr::default();
  r.read_exact(repr.as_mut())?;
  let point = G::from_bytes(&repr);
  if point.is_none().into() {
    Err(std::io::Error::new(std::io::ErrorKind::Other, "invalid point"))?;
  }
  Ok(point.unwrap())
}

#[derive(Error, PartialEq, Eq, Debug)]
pub enum DLEqError {
  #[error("invalid proof of knowledge")]
  InvalidProofOfKnowledge,
  #[error("invalid proof length")]
  InvalidProofLength,
  #[error("invalid challenge")]
  InvalidChallenge,
  #[error("invalid proof")]
  InvalidProof
}

// Debug would be such a dump of data this likely isn't helpful, but at least it's available to
// anyone who wants it
#[derive(Clone, PartialEq, Eq, Debug)]
pub struct DLEqProof<
  G0: PrimeGroup,
  G1: PrimeGroup,
  RING: RingSignature<G0, G1>,
  REM: RingSignature<G0, G1>
> where G0::Scalar: PrimeFieldBits, G1::Scalar: PrimeFieldBits {
  bits: Vec<Bits<G0, G1, RING>>,
  remainder: Option<Bits<G0, G1, REM>>,
  poks: (SchnorrPoK<G0>, SchnorrPoK<G1>)
}

impl<
  G0: PrimeGroup,
  G1: PrimeGroup,
  RING: RingSignature<G0, G1>,
  REM: RingSignature<G0, G1>
> DLEqProof<G0, G1, RING, REM> where G0::Scalar: PrimeFieldBits, G1::Scalar: PrimeFieldBits {
  pub(crate) fn initialize_transcript<T: Transcript>(
    transcript: &mut T,
    generators: (Generators<G0>, Generators<G1>),
    keys: (G0, G1)
  ) {
    generators.0.transcript(transcript);
    generators.1.transcript(transcript);
    transcript.domain_separate(b"points");
    transcript.append_message(b"point_0", keys.0.to_bytes().as_ref());
    transcript.append_message(b"point_1", keys.1.to_bytes().as_ref());
  }

  pub(crate) fn blinding_key<R: RngCore + CryptoRng, F: PrimeField>(
    rng: &mut R,
    total: &mut F,
    last: bool
  ) -> F {
    let blinding_key = if last {
      -*total
    } else {
      F::random(&mut *rng)
    };
    *total += blinding_key;
    blinding_key
  }

  fn reconstruct_keys(&self) -> (G0, G1) {
    let mut res = (
      self.bits.iter().map(|bit| bit.commitments.0).sum::<G0>(),
      self.bits.iter().map(|bit| bit.commitments.1).sum::<G1>()
    );

    if let Some(bit) = &self.remainder {
      res.0 += bit.commitments.0;
      res.1 += bit.commitments.1;
    }

    res
  }
}
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 09:42:29 +00:00			`use thiserror::Error;`
			`use rand_core::{RngCore, CryptoRng};`

			`use transcript::Transcript;`

Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 23:10:30 +00:00			`use group::{ff::{PrimeField, PrimeFieldBits}, prime::PrimeGroup};`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 09:42:29 +00:00
Remove cross-group DLEq challenge bias as possible 2022-07-02 06:45:26 +00:00			`use crate::Generators;`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 09:42:29 +00:00
			`pub mod scalar;`

			`pub(crate) mod schnorr;`
			`use schnorr::SchnorrPoK;`

Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 23:10:30 +00:00			`mod bits;`
			`use bits::{RingSignature, Bits};`

			`pub mod linear;`

Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 09:42:29 +00:00			`#[cfg(feature = "serialize")]`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 23:10:30 +00:00			`use std::io::Read;`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 09:42:29 +00:00
			`#[cfg(feature = "serialize")]`
			`pub(crate) fn read_point<R: Read, G: PrimeGroup>(r: &mut R) -> std::io::Result<G> {`
			`let mut repr = G::Repr::default();`
			`r.read_exact(repr.as_mut())?;`
			`let point = G::from_bytes(&repr);`
			`if point.is_none().into() {`
			`Err(std::io::Error::new(std::io::ErrorKind::Other, "invalid point"))?;`
			`}`
			`Ok(point.unwrap())`
			`}`

			`#[derive(Error, PartialEq, Eq, Debug)]`
			`pub enum DLEqError {`
			`#[error("invalid proof of knowledge")]`
			`InvalidProofOfKnowledge,`
			`#[error("invalid proof length")]`
			`InvalidProofLength,`
Unify the cross-group DLEq challenges This does reduce the strength of the challenges to that of the weaker field, yet that doesn't have any impact on whether or not this is ZK due to the key being shared across fields. Saves ~8kb. 2022-06-30 15:23:13 +00:00			`#[error("invalid challenge")]`
			`InvalidChallenge,`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 09:42:29 +00:00			`#[error("invalid proof")]`
			`InvalidProof`
			`}`

			`// Debug would be such a dump of data this likely isn't helpful, but at least it's available to`
			`// anyone who wants it`
			`#[derive(Clone, PartialEq, Eq, Debug)]`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 23:10:30 +00:00			`pub struct DLEqProof<`
			`G0: PrimeGroup,`
			`G1: PrimeGroup,`
			`RING: RingSignature<G0, G1>,`
			`REM: RingSignature<G0, G1>`
			`> where G0::Scalar: PrimeFieldBits, G1::Scalar: PrimeFieldBits {`
			`bits: Vec<Bits<G0, G1, RING>>,`
			`remainder: Option<Bits<G0, G1, REM>>,`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 09:42:29 +00:00			`poks: (SchnorrPoK<G0>, SchnorrPoK<G1>)`
			`}`

Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 23:10:30 +00:00			`impl<`
			`G0: PrimeGroup,`
			`G1: PrimeGroup,`
			`RING: RingSignature<G0, G1>,`
			`REM: RingSignature<G0, G1>`
			`> DLEqProof<G0, G1, RING, REM> where G0::Scalar: PrimeFieldBits, G1::Scalar: PrimeFieldBits {`
			`pub(crate) fn initialize_transcript<T: Transcript>(`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 09:42:29 +00:00			`transcript: &mut T,`
			`generators: (Generators<G0>, Generators<G1>),`
			`keys: (G0, G1)`
			`) {`
			`generators.0.transcript(transcript);`
			`generators.1.transcript(transcript);`
			`transcript.domain_separate(b"points");`
			`transcript.append_message(b"point_0", keys.0.to_bytes().as_ref());`
			`transcript.append_message(b"point_1", keys.1.to_bytes().as_ref());`
			`}`

Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 23:10:30 +00:00			`pub(crate) fn blinding_key<R: RngCore + CryptoRng, F: PrimeField>(`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 09:42:29 +00:00			`rng: &mut R,`
			`total: &mut F,`
			`last: bool`
			`) -> F {`
			`let blinding_key = if last {`
Make the cross-group DLEq bit components pow 2, not the commitments as a whole Few percent faster. Enables accumulating the current bit's point representation, whereas the blinding keys can't be accumulated. Also theoretically enables pre-computation of the bit points, removing hundreds of additions from the proof. When tested, this was less performant, possibly due to cache/heap allocation. 2022-07-05 09:18:12 +00:00			`-*total`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 09:42:29 +00:00			`} else {`
			`F::random(&mut *rng)`
			`};`
Make the cross-group DLEq bit components pow 2, not the commitments as a whole Few percent faster. Enables accumulating the current bit's point representation, whereas the blinding keys can't be accumulated. Also theoretically enables pre-computation of the bit points, removing hundreds of additions from the proof. When tested, this was less performant, possibly due to cache/heap allocation. 2022-07-05 09:18:12 +00:00			`*total += blinding_key;`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 09:42:29 +00:00			`blinding_key`
			`}`

			`fn reconstruct_keys(&self) -> (G0, G1) {`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 23:10:30 +00:00			`let mut res = (`
			`self.bits.iter().map(\|bit\| bit.commitments.0).sum::<G0>(),`
			`self.bits.iter().map(\|bit\| bit.commitments.1).sum::<G1>()`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 09:42:29 +00:00			`);`

Use a ring per 2 bits instead of per bit Reduces proof size by 21.5% without notable computational complexity changes. I wouldn't be surprised if it has minor ones, yet I can't comment in which way they go without further review. Bit now verifies it can successfully complete the ring under debug, slightly increasing debug times. 2022-07-05 19:01:33 +00:00			`if let Some(bit) = &self.remainder {`
Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 23:10:30 +00:00			`res.0 += bit.commitments.0;`
			`res.1 += bit.commitments.1;`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 09:42:29 +00:00			`}`

Add a batch verified DLEq The batch verified one offers ~23% faster verification. While this massively refactors for modularity, I'm still not happy with the DLEq proofs at the top level, nor am I happy with the AOS signatures. I'll work on cleaning them up more later. 2022-07-05 23:10:30 +00:00			`res`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 09:42:29 +00:00			`}`
			`}`