2022-05-14 00:26:29 +00:00
|
|
|
#![allow(non_snake_case)]
|
|
|
|
|
|
|
|
|
|
use lazy_static::lazy_static;
|
2022-04-28 21:29:56 +00:00
|
|
|
use thiserror::Error;
|
2022-05-03 11:20:24 +00:00
|
|
|
use rand_core::{RngCore, CryptoRng};
|
2022-04-28 21:29:56 +00:00
|
|
|
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 08:25:18 +00:00
|
|
|
use zeroize::{Zeroize, ZeroizeOnDrop};
|
|
|
|
|
use subtle::{ConstantTimeEq, Choice, CtOption};
|
|
|
|
|
|
2022-04-22 01:36:18 +00:00
|
|
|
use curve25519_dalek::{
|
|
|
|
|
constants::ED25519_BASEPOINT_TABLE,
|
|
|
|
|
scalar::Scalar,
|
2022-07-26 07:25:57 +00:00
|
|
|
traits::{IsIdentity, VartimePrecomputedMultiscalarMul},
|
2022-07-15 05:26:07 +00:00
|
|
|
edwards::{EdwardsPoint, VartimeEdwardsPrecomputation},
|
2022-04-22 01:36:18 +00:00
|
|
|
};
|
|
|
|
|
|
2022-04-28 07:31:09 +00:00
|
|
|
use crate::{
|
2022-07-27 09:05:43 +00:00
|
|
|
Commitment, random_scalar, hash_to_scalar, wallet::decoys::Decoys, ringct::hash_to_point,
|
|
|
|
|
serialize::*,
|
2022-04-28 07:31:09 +00:00
|
|
|
};
|
2022-04-22 01:36:18 +00:00
|
|
|
|
|
|
|
|
#[cfg(feature = "multisig")]
|
|
|
|
|
mod multisig;
|
|
|
|
|
#[cfg(feature = "multisig")]
|
2022-05-21 19:33:35 +00:00
|
|
|
pub use multisig::{ClsagDetails, ClsagMultisig};
|
|
|
|
|
|
|
|
|
|
lazy_static! {
|
2022-05-30 06:14:34 +00:00
|
|
|
static ref INV_EIGHT: Scalar = Scalar::from(8u8).invert();
|
2022-05-21 19:33:35 +00:00
|
|
|
}
|
2022-04-22 01:36:18 +00:00
|
|
|
|
2022-05-28 09:08:37 +00:00
|
|
|
#[derive(Clone, Error, Debug)]
|
2022-05-21 19:33:35 +00:00
|
|
|
pub enum ClsagError {
|
2022-04-28 21:29:56 +00:00
|
|
|
#[error("internal error ({0})")]
|
|
|
|
|
InternalError(String),
|
2022-07-26 07:25:57 +00:00
|
|
|
#[error("invalid ring")]
|
|
|
|
|
InvalidRing,
|
2022-04-28 21:29:56 +00:00
|
|
|
#[error("invalid ring member (member {0}, ring size {1})")]
|
|
|
|
|
InvalidRingMember(u8, u8),
|
|
|
|
|
#[error("invalid commitment")]
|
2022-05-14 00:26:29 +00:00
|
|
|
InvalidCommitment,
|
2022-07-26 07:25:57 +00:00
|
|
|
#[error("invalid key image")]
|
|
|
|
|
InvalidImage,
|
2022-05-14 00:26:29 +00:00
|
|
|
#[error("invalid D")]
|
|
|
|
|
InvalidD,
|
|
|
|
|
#[error("invalid s")]
|
|
|
|
|
InvalidS,
|
|
|
|
|
#[error("invalid c1")]
|
2022-07-15 05:26:07 +00:00
|
|
|
InvalidC1,
|
2022-04-28 21:29:56 +00:00
|
|
|
}
|
|
|
|
|
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 08:25:18 +00:00
|
|
|
#[derive(Clone, PartialEq, Eq, Debug, Zeroize, ZeroizeOnDrop)]
|
2022-05-21 19:33:35 +00:00
|
|
|
pub struct ClsagInput {
|
2022-05-06 23:07:37 +00:00
|
|
|
// The actual commitment for the true spend
|
2022-08-21 15:06:17 +00:00
|
|
|
pub(crate) commitment: Commitment,
|
2022-05-06 23:07:37 +00:00
|
|
|
// True spend index, offsets, and ring
|
2022-08-21 15:06:17 +00:00
|
|
|
pub(crate) decoys: Decoys,
|
2022-04-28 21:29:56 +00:00
|
|
|
}
|
|
|
|
|
|
2022-05-21 19:33:35 +00:00
|
|
|
impl ClsagInput {
|
2022-07-15 05:26:07 +00:00
|
|
|
pub fn new(commitment: Commitment, decoys: Decoys) -> Result<ClsagInput, ClsagError> {
|
2022-05-06 23:07:37 +00:00
|
|
|
let n = decoys.len();
|
2022-04-28 21:29:56 +00:00
|
|
|
if n > u8::MAX.into() {
|
2022-05-21 19:33:35 +00:00
|
|
|
Err(ClsagError::InternalError("max ring size in this library is u8 max".to_string()))?;
|
2022-04-28 21:29:56 +00:00
|
|
|
}
|
2022-05-30 06:14:34 +00:00
|
|
|
let n = u8::try_from(n).unwrap();
|
|
|
|
|
if decoys.i >= n {
|
|
|
|
|
Err(ClsagError::InvalidRingMember(decoys.i, n))?;
|
2022-04-28 21:29:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Validate the commitment matches
|
2022-05-06 23:07:37 +00:00
|
|
|
if decoys.ring[usize::from(decoys.i)][1] != commitment.calculate() {
|
2022-05-21 19:33:35 +00:00
|
|
|
Err(ClsagError::InvalidCommitment)?;
|
2022-04-28 21:29:56 +00:00
|
|
|
}
|
|
|
|
|
|
2022-05-21 19:33:35 +00:00
|
|
|
Ok(ClsagInput { commitment, decoys })
|
2022-04-28 21:29:56 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-22 06:34:36 +00:00
|
|
|
#[allow(clippy::large_enum_variant)]
|
2022-05-14 00:26:29 +00:00
|
|
|
enum Mode {
|
|
|
|
|
Sign(usize, EdwardsPoint, EdwardsPoint),
|
2022-07-15 05:26:07 +00:00
|
|
|
Verify(Scalar),
|
2022-05-14 00:26:29 +00:00
|
|
|
}
|
2022-04-22 01:36:18 +00:00
|
|
|
|
2022-05-21 19:33:35 +00:00
|
|
|
// Core of the CLSAG algorithm, applicable to both sign and verify with minimal differences
|
|
|
|
|
// Said differences are covered via the above Mode
|
2022-05-14 00:26:29 +00:00
|
|
|
fn core(
|
|
|
|
|
ring: &[[EdwardsPoint; 2]],
|
|
|
|
|
I: &EdwardsPoint,
|
|
|
|
|
pseudo_out: &EdwardsPoint,
|
|
|
|
|
msg: &[u8; 32],
|
|
|
|
|
D: &EdwardsPoint,
|
|
|
|
|
s: &[Scalar],
|
2022-07-15 05:26:07 +00:00
|
|
|
A_c1: Mode,
|
2022-05-21 19:33:35 +00:00
|
|
|
) -> ((EdwardsPoint, Scalar, Scalar), Scalar) {
|
2022-05-14 00:26:29 +00:00
|
|
|
let n = ring.len();
|
2022-04-22 01:36:18 +00:00
|
|
|
|
2022-05-14 00:26:29 +00:00
|
|
|
let images_precomp = VartimeEdwardsPrecomputation::new([I, D]);
|
|
|
|
|
let D = D * *INV_EIGHT;
|
2022-04-22 01:36:18 +00:00
|
|
|
|
2022-05-21 19:33:35 +00:00
|
|
|
// Generate the transcript
|
|
|
|
|
// Instead of generating multiple, a single transcript is created and then edited as needed
|
2022-07-15 05:26:07 +00:00
|
|
|
const PREFIX: &[u8] = b"CLSAG_";
|
|
|
|
|
#[rustfmt::skip]
|
|
|
|
|
const AGG_0: &[u8] = b"agg_0";
|
|
|
|
|
#[rustfmt::skip]
|
|
|
|
|
const ROUND: &[u8] = b"round";
|
|
|
|
|
const PREFIX_AGG_0_LEN: usize = PREFIX.len() + AGG_0.len();
|
|
|
|
|
|
|
|
|
|
let mut to_hash = Vec::with_capacity(((2 * n) + 5) * 32);
|
|
|
|
|
to_hash.extend(PREFIX);
|
2022-05-21 19:33:35 +00:00
|
|
|
to_hash.extend(AGG_0);
|
2022-07-17 21:24:09 +00:00
|
|
|
to_hash.extend([0; 32 - PREFIX_AGG_0_LEN]);
|
2022-04-22 01:36:18 +00:00
|
|
|
|
2022-05-21 19:33:35 +00:00
|
|
|
let mut P = Vec::with_capacity(n);
|
2022-05-14 00:26:29 +00:00
|
|
|
for member in ring {
|
|
|
|
|
P.push(member[0]);
|
|
|
|
|
to_hash.extend(member[0].compress().to_bytes());
|
2022-04-22 01:36:18 +00:00
|
|
|
}
|
|
|
|
|
|
2022-05-21 19:33:35 +00:00
|
|
|
let mut C = Vec::with_capacity(n);
|
2022-05-14 00:26:29 +00:00
|
|
|
for member in ring {
|
2022-05-21 19:33:35 +00:00
|
|
|
C.push(member[1] - pseudo_out);
|
2022-05-14 00:26:29 +00:00
|
|
|
to_hash.extend(member[1].compress().to_bytes());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
to_hash.extend(I.compress().to_bytes());
|
2022-05-21 19:33:35 +00:00
|
|
|
to_hash.extend(D.compress().to_bytes());
|
2022-05-14 00:26:29 +00:00
|
|
|
to_hash.extend(pseudo_out.compress().to_bytes());
|
2022-05-21 19:33:35 +00:00
|
|
|
// mu_P with agg_0
|
2022-04-22 01:36:18 +00:00
|
|
|
let mu_P = hash_to_scalar(&to_hash);
|
2022-05-21 19:33:35 +00:00
|
|
|
// mu_C with agg_1
|
2022-07-17 21:24:09 +00:00
|
|
|
to_hash[PREFIX_AGG_0_LEN - 1] = b'1';
|
2022-04-22 01:36:18 +00:00
|
|
|
let mu_C = hash_to_scalar(&to_hash);
|
|
|
|
|
|
2022-05-21 19:33:35 +00:00
|
|
|
// Truncate it for the round transcript, altering the DST as needed
|
2022-04-22 01:36:18 +00:00
|
|
|
to_hash.truncate(((2 * n) + 1) * 32);
|
2022-04-28 07:31:09 +00:00
|
|
|
for i in 0 .. ROUND.len() {
|
2022-05-30 06:14:34 +00:00
|
|
|
to_hash[PREFIX.len() + i] = ROUND[i];
|
2022-04-22 01:36:18 +00:00
|
|
|
}
|
2022-05-21 19:33:35 +00:00
|
|
|
// Unfortunately, it's I D pseudo_out instead of pseudo_out I D, meaning this needs to be
|
|
|
|
|
// truncated just to add it back
|
2022-05-14 00:26:29 +00:00
|
|
|
to_hash.extend(pseudo_out.compress().to_bytes());
|
2022-04-22 01:36:18 +00:00
|
|
|
to_hash.extend(msg);
|
|
|
|
|
|
2022-05-21 19:33:35 +00:00
|
|
|
// Configure the loop based on if we're signing or verifying
|
2022-05-14 04:45:13 +00:00
|
|
|
let start;
|
2022-05-14 00:26:29 +00:00
|
|
|
let end;
|
2022-05-14 04:45:13 +00:00
|
|
|
let mut c;
|
2022-05-14 00:26:29 +00:00
|
|
|
match A_c1 {
|
|
|
|
|
Mode::Sign(r, A, AH) => {
|
2022-05-14 04:45:13 +00:00
|
|
|
start = r + 1;
|
|
|
|
|
end = r + n;
|
2022-05-14 00:26:29 +00:00
|
|
|
to_hash.extend(A.compress().to_bytes());
|
|
|
|
|
to_hash.extend(AH.compress().to_bytes());
|
|
|
|
|
c = hash_to_scalar(&to_hash);
|
2022-07-15 05:26:07 +00:00
|
|
|
}
|
2022-05-14 00:26:29 +00:00
|
|
|
|
|
|
|
|
Mode::Verify(c1) => {
|
2022-05-14 04:45:13 +00:00
|
|
|
start = 0;
|
|
|
|
|
end = n;
|
2022-05-14 00:26:29 +00:00
|
|
|
c = c1;
|
|
|
|
|
}
|
2022-04-22 01:36:18 +00:00
|
|
|
}
|
|
|
|
|
|
2022-05-21 19:33:35 +00:00
|
|
|
// Perform the core loop
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 08:25:18 +00:00
|
|
|
let mut c1 = CtOption::new(Scalar::zero(), Choice::from(0));
|
2022-05-14 04:45:13 +00:00
|
|
|
for i in (start .. end).map(|i| i % n) {
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 08:25:18 +00:00
|
|
|
// This will only execute once and shouldn't need to be constant time. Making it constant time
|
|
|
|
|
// removes the risk of branch prediction creating timing differences depending on ring index
|
|
|
|
|
// however
|
|
|
|
|
c1 = c1.or_else(|| CtOption::new(c, i.ct_eq(&0)));
|
2022-05-14 04:45:13 +00:00
|
|
|
|
2022-04-22 01:36:18 +00:00
|
|
|
let c_p = mu_P * c;
|
|
|
|
|
let c_c = mu_C * c;
|
|
|
|
|
|
2022-04-28 07:31:09 +00:00
|
|
|
let L = (&s[i] * &ED25519_BASEPOINT_TABLE) + (c_p * P[i]) + (c_c * C[i]);
|
2022-07-10 20:11:55 +00:00
|
|
|
let PH = hash_to_point(P[i]);
|
2022-04-22 01:36:18 +00:00
|
|
|
// Shouldn't be an issue as all of the variables in this vartime statement are public
|
2022-04-28 07:31:09 +00:00
|
|
|
let R = (s[i] * PH) + images_precomp.vartime_multiscalar_mul(&[c_p, c_c]);
|
2022-04-22 01:36:18 +00:00
|
|
|
|
|
|
|
|
to_hash.truncate(((2 * n) + 3) * 32);
|
|
|
|
|
to_hash.extend(L.compress().to_bytes());
|
|
|
|
|
to_hash.extend(R.compress().to_bytes());
|
|
|
|
|
c = hash_to_scalar(&to_hash);
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-21 19:33:35 +00:00
|
|
|
// This first tuple is needed to continue signing, the latter is the c to be tested/worked with
|
|
|
|
|
((D, c * mu_P, c * mu_C), c1.unwrap_or(c))
|
2022-05-14 00:26:29 +00:00
|
|
|
}
|
|
|
|
|
|
2022-07-22 06:34:36 +00:00
|
|
|
#[derive(Clone, PartialEq, Eq, Debug)]
|
2022-05-21 19:33:35 +00:00
|
|
|
pub struct Clsag {
|
|
|
|
|
pub D: EdwardsPoint,
|
|
|
|
|
pub s: Vec<Scalar>,
|
2022-07-15 05:26:07 +00:00
|
|
|
pub c1: Scalar,
|
2022-04-22 01:36:18 +00:00
|
|
|
}
|
|
|
|
|
|
2022-05-21 19:33:35 +00:00
|
|
|
impl Clsag {
|
|
|
|
|
// Sign core is the extension of core as needed for signing, yet is shared between single signer
|
|
|
|
|
// and multisig, hence why it's still core
|
|
|
|
|
pub(crate) fn sign_core<R: RngCore + CryptoRng>(
|
|
|
|
|
rng: &mut R,
|
|
|
|
|
I: &EdwardsPoint,
|
|
|
|
|
input: &ClsagInput,
|
|
|
|
|
mask: Scalar,
|
|
|
|
|
msg: &[u8; 32],
|
|
|
|
|
A: EdwardsPoint,
|
2022-07-15 05:26:07 +00:00
|
|
|
AH: EdwardsPoint,
|
2022-05-21 19:33:35 +00:00
|
|
|
) -> (Clsag, EdwardsPoint, Scalar, Scalar) {
|
|
|
|
|
let r: usize = input.decoys.i.into();
|
|
|
|
|
|
|
|
|
|
let pseudo_out = Commitment::new(mask, input.commitment.amount).calculate();
|
|
|
|
|
let z = input.commitment.mask - mask;
|
|
|
|
|
|
2022-07-10 20:11:55 +00:00
|
|
|
let H = hash_to_point(input.decoys.ring[r][0]);
|
2022-05-21 19:33:35 +00:00
|
|
|
let D = H * z;
|
|
|
|
|
let mut s = Vec::with_capacity(input.decoys.ring.len());
|
|
|
|
|
for _ in 0 .. input.decoys.ring.len() {
|
|
|
|
|
s.push(random_scalar(rng));
|
2022-04-28 07:31:09 +00:00
|
|
|
}
|
2022-07-15 05:26:07 +00:00
|
|
|
let ((D, p, c), c1) =
|
|
|
|
|
core(&input.decoys.ring, I, &pseudo_out, msg, &D, &s, Mode::Sign(r, A, AH));
|
|
|
|
|
|
|
|
|
|
(Clsag { D, s, c1 }, pseudo_out, p, c * z)
|
2022-05-21 19:33:35 +00:00
|
|
|
}
|
2022-04-28 07:31:09 +00:00
|
|
|
|
2022-05-21 19:33:35 +00:00
|
|
|
// Single signer CLSAG
|
|
|
|
|
pub fn sign<R: RngCore + CryptoRng>(
|
|
|
|
|
rng: &mut R,
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 08:25:18 +00:00
|
|
|
mut inputs: Vec<(Scalar, EdwardsPoint, ClsagInput)>,
|
2022-05-21 19:33:35 +00:00
|
|
|
sum_outputs: Scalar,
|
2022-07-15 05:26:07 +00:00
|
|
|
msg: [u8; 32],
|
2022-05-21 19:33:35 +00:00
|
|
|
) -> Vec<(Clsag, EdwardsPoint)> {
|
|
|
|
|
let mut res = Vec::with_capacity(inputs.len());
|
|
|
|
|
let mut sum_pseudo_outs = Scalar::zero();
|
|
|
|
|
for i in 0 .. inputs.len() {
|
|
|
|
|
let mut mask = random_scalar(rng);
|
|
|
|
|
if i == (inputs.len() - 1) {
|
|
|
|
|
mask = sum_outputs - sum_pseudo_outs;
|
|
|
|
|
} else {
|
|
|
|
|
sum_pseudo_outs += mask;
|
|
|
|
|
}
|
|
|
|
|
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 08:25:18 +00:00
|
|
|
let mut nonce = random_scalar(rng);
|
2022-05-21 19:33:35 +00:00
|
|
|
let (mut clsag, pseudo_out, p, c) = Clsag::sign_core(
|
|
|
|
|
rng,
|
|
|
|
|
&inputs[i].1,
|
|
|
|
|
&inputs[i].2,
|
|
|
|
|
mask,
|
|
|
|
|
&msg,
|
|
|
|
|
&nonce * &ED25519_BASEPOINT_TABLE,
|
2022-07-15 05:26:07 +00:00
|
|
|
nonce * hash_to_point(inputs[i].2.decoys.ring[usize::from(inputs[i].2.decoys.i)][0]),
|
2022-05-21 19:33:35 +00:00
|
|
|
);
|
2022-05-30 06:14:34 +00:00
|
|
|
clsag.s[usize::from(inputs[i].2.decoys.i)] = nonce - ((p * inputs[i].0) + c);
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 08:25:18 +00:00
|
|
|
inputs[i].0.zeroize();
|
|
|
|
|
nonce.zeroize();
|
2022-05-21 19:33:35 +00:00
|
|
|
|
|
|
|
|
res.push((clsag, pseudo_out));
|
|
|
|
|
}
|
2022-04-22 01:36:18 +00:00
|
|
|
|
2022-05-21 19:33:35 +00:00
|
|
|
res
|
2022-05-14 00:26:29 +00:00
|
|
|
}
|
|
|
|
|
|
2022-07-26 07:25:57 +00:00
|
|
|
pub fn verify(
|
2022-05-21 19:33:35 +00:00
|
|
|
&self,
|
|
|
|
|
ring: &[[EdwardsPoint; 2]],
|
|
|
|
|
I: &EdwardsPoint,
|
|
|
|
|
pseudo_out: &EdwardsPoint,
|
2022-07-15 05:26:07 +00:00
|
|
|
msg: &[u8; 32],
|
2022-05-21 19:33:35 +00:00
|
|
|
) -> Result<(), ClsagError> {
|
2022-07-26 07:25:57 +00:00
|
|
|
// Preliminary checks. s, c1, and points must also be encoded canonically, which isn't checked
|
|
|
|
|
// here
|
2022-07-26 07:48:46 +00:00
|
|
|
if ring.is_empty() {
|
2022-07-26 07:25:57 +00:00
|
|
|
Err(ClsagError::InvalidRing)?;
|
|
|
|
|
}
|
|
|
|
|
if ring.len() != self.s.len() {
|
|
|
|
|
Err(ClsagError::InvalidS)?;
|
|
|
|
|
}
|
|
|
|
|
if I.is_identity() {
|
|
|
|
|
Err(ClsagError::InvalidImage)?;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let D = self.D.mul_by_cofactor();
|
|
|
|
|
if D.is_identity() {
|
|
|
|
|
Err(ClsagError::InvalidD)?;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let (_, c1) = core(ring, I, pseudo_out, msg, &D, &self.s, Mode::Verify(self.c1));
|
2022-05-21 19:33:35 +00:00
|
|
|
if c1 != self.c1 {
|
|
|
|
|
Err(ClsagError::InvalidC1)?;
|
|
|
|
|
}
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
2022-04-22 01:36:18 +00:00
|
|
|
|
2022-07-27 09:05:43 +00:00
|
|
|
pub(crate) fn fee_weight(ring_len: usize) -> usize {
|
|
|
|
|
(ring_len * 32) + 32 + 32
|
2022-06-19 16:03:01 +00:00
|
|
|
}
|
|
|
|
|
|
2022-05-21 19:33:35 +00:00
|
|
|
pub fn serialize<W: std::io::Write>(&self, w: &mut W) -> std::io::Result<()> {
|
|
|
|
|
write_raw_vec(write_scalar, &self.s, w)?;
|
|
|
|
|
w.write_all(&self.c1.to_bytes())?;
|
|
|
|
|
write_point(&self.D, w)
|
2022-04-22 01:36:18 +00:00
|
|
|
}
|
|
|
|
|
|
2022-05-22 00:27:21 +00:00
|
|
|
pub fn deserialize<R: std::io::Read>(decoys: usize, r: &mut R) -> std::io::Result<Clsag> {
|
2022-07-15 05:26:07 +00:00
|
|
|
Ok(Clsag { s: read_raw_vec(read_scalar, decoys, r)?, c1: read_scalar(r)?, D: read_point(r)? })
|
2022-05-22 00:27:21 +00:00
|
|
|
}
|
2022-04-22 01:36:18 +00:00
|
|
|
}
|
