Remove rng_seed's additional entropy

It was never used as we derive entropy via the other fields in the 
transcript, and explicitly add fields directly as needed for entropy.

Also drops an unused crate and corrects a bug in FROST's Schnorr 
implementation which used the Group's generator, instead of the Curve's.

Also updates the Monero crate's description.
This commit is contained in:
Luke Parker 2022-05-31 02:12:14 -04:00
parent e504266c80
commit 7b4c5dbe52
No known key found for this signature in database
GPG key ID: F9F1386DB1E119B6
8 changed files with 11 additions and 21 deletions

View file

@ -1,7 +1,7 @@
[package] [package]
name = "monero-serai" name = "monero-serai"
version = "0.1.0" version = "0.1.0"
description = "Implementation of Monero transaction signing in Rust" description = "A modern Monero wallet library"
license = "MIT" license = "MIT"
authors = ["Luke Parker <lukeparker5132@gmail.com>"] authors = ["Luke Parker <lukeparker5132@gmail.com>"]
edition = "2021" edition = "2021"

View file

@ -206,7 +206,7 @@ impl Algorithm<Ed25519> for ClsagMultisig {
// process even if they have access to commitments (specifically, the ring index being signed // process even if they have access to commitments (specifically, the ring index being signed
// for, along with the mask which should not only require knowing the shared keys yet also the // for, along with the mask which should not only require knowing the shared keys yet also the
// input commitment masks) // input commitment masks)
let mut rng = ChaCha12Rng::from_seed(self.transcript.rng_seed(b"decoy_responses", None)); let mut rng = ChaCha12Rng::from_seed(self.transcript.rng_seed(b"decoy_responses"));
self.msg = Some(msg.try_into().expect("CLSAG message should be 32-bytes")); self.msg = Some(msg.try_into().expect("CLSAG message should be 32-bytes"));

View file

@ -90,7 +90,7 @@ impl SignableTransaction {
let decoys = Decoys::select( let decoys = Decoys::select(
// Using a seeded RNG with a specific height, committed to above, should make these decoys // Using a seeded RNG with a specific height, committed to above, should make these decoys
// committed to. They'll also be committed to later via the TX message as a whole // committed to. They'll also be committed to later via the TX message as a whole
&mut ChaCha12Rng::from_seed(transcript.rng_seed(b"decoys", None)), &mut ChaCha12Rng::from_seed(transcript.rng_seed(b"decoys")),
rpc, rpc,
height, height,
&self.inputs &self.inputs
@ -216,7 +216,7 @@ impl StateMachine for TransactionMachine {
// Not invalid outputs due to already doing a dummy prep // Not invalid outputs due to already doing a dummy prep
let (commitments, output_masks) = self.signable.prepare_outputs( let (commitments, output_masks) = self.signable.prepare_outputs(
&mut ChaCha12Rng::from_seed(self.transcript.rng_seed(b"tx_keys", None)), &mut ChaCha12Rng::from_seed(self.transcript.rng_seed(b"tx_keys")),
uniqueness( uniqueness(
&images.iter().map(|image| Input::ToKey { &images.iter().map(|image| Input::ToKey {
amount: 0, amount: 0,
@ -230,7 +230,7 @@ impl StateMachine for TransactionMachine {
self.signable.prepare_transaction( self.signable.prepare_transaction(
&commitments, &commitments,
Bulletproofs::new( Bulletproofs::new(
&mut ChaCha12Rng::from_seed(self.transcript.rng_seed(b"bulletproofs", None)), &mut ChaCha12Rng::from_seed(self.transcript.rng_seed(b"bulletproofs")),
&commitments &commitments
).unwrap() ).unwrap()
) )
@ -249,7 +249,7 @@ impl StateMachine for TransactionMachine {
} }
sorted.sort_by(|x, y| x.2.compress().to_bytes().cmp(&y.2.compress().to_bytes()).reverse()); sorted.sort_by(|x, y| x.2.compress().to_bytes().cmp(&y.2.compress().to_bytes()).reverse());
let mut rng = ChaCha12Rng::from_seed(self.transcript.rng_seed(b"pseudo_out_masks", None)); let mut rng = ChaCha12Rng::from_seed(self.transcript.rng_seed(b"pseudo_out_masks"));
let mut sum_pseudo_outs = Scalar::zero(); let mut sum_pseudo_outs = Scalar::zero();
while sorted.len() != 0 { while sorted.len() != 0 {
let value = sorted.remove(0); let value = sorted.remove(0);

View file

@ -14,7 +14,6 @@ rand_core = "0.6"
ff = "0.11" ff = "0.11"
group = "0.11" group = "0.11"
blake2 = "0.10"
transcript = { path = "../transcript" } transcript = { path = "../transcript" }
multiexp = { path = "../multiexp", features = ["batch"] } multiexp = { path = "../multiexp", features = ["batch"] }

View file

@ -72,7 +72,7 @@ impl Transcript for IetfTranscript {
self.0.clone() self.0.clone()
} }
fn rng_seed(&mut self, _: &'static [u8], _: Option<[u8; 32]>) -> [u8; 32] { fn rng_seed(&mut self, _: &'static [u8]) -> [u8; 32] {
unimplemented!() unimplemented!()
} }
} }

View file

@ -1,7 +1,6 @@
use rand_core::{RngCore, CryptoRng}; use rand_core::{RngCore, CryptoRng};
use ff::Field; use ff::Field;
use group::Group;
use multiexp::BatchVerifier; use multiexp::BatchVerifier;
@ -46,7 +45,7 @@ pub(crate) fn batch_verify<C: Curve, R: RngCore + CryptoRng>(
rng: &mut R, rng: &mut R,
triplets: &[(u16, C::G, C::F, SchnorrSignature<C>)] triplets: &[(u16, C::G, C::F, SchnorrSignature<C>)]
) -> Result<(), u16> { ) -> Result<(), u16> {
let mut values = [(C::F::one(), C::G::generator()); 3]; let mut values = [(C::F::one(), C::generator()); 3];
let mut batch = BatchVerifier::new(triplets.len(), C::little_endian()); let mut batch = BatchVerifier::new(triplets.len(), C::little_endian());
for triple in triplets { for triple in triplets {
// s = r + ca // s = r + ca

View file

@ -11,7 +11,7 @@ pub trait Transcript {
fn domain_separate(&mut self, label: &[u8]); fn domain_separate(&mut self, label: &[u8]);
fn append_message(&mut self, label: &'static [u8], message: &[u8]); fn append_message(&mut self, label: &'static [u8], message: &[u8]);
fn challenge(&mut self, label: &'static [u8]) -> Vec<u8>; fn challenge(&mut self, label: &'static [u8]) -> Vec<u8>;
fn rng_seed(&mut self, label: &'static [u8], additional_entropy: Option<[u8; 32]>) -> [u8; 32]; fn rng_seed(&mut self, label: &'static [u8]) -> [u8; 32];
} }
#[derive(Clone, Debug)] #[derive(Clone, Debug)]
@ -49,11 +49,7 @@ impl<D: Digest> Transcript for DigestTranscript<D> {
D::new().chain_update(&self.0).finalize().to_vec() D::new().chain_update(&self.0).finalize().to_vec()
} }
fn rng_seed(&mut self, label: &'static [u8], additional_entropy: Option<[u8; 32]>) -> [u8; 32] { fn rng_seed(&mut self, label: &'static [u8]) -> [u8; 32] {
if additional_entropy.is_some() {
self.append_message(b"additional_entropy", &additional_entropy.unwrap());
}
let mut seed = [0; 32]; let mut seed = [0; 32];
seed.copy_from_slice(&self.challenge(label)[0 .. 32]); seed.copy_from_slice(&self.challenge(label)[0 .. 32]);
seed seed

View file

@ -30,11 +30,7 @@ impl Transcript for MerlinTranscript {
challenge challenge
} }
fn rng_seed(&mut self, label: &'static [u8], additional_entropy: Option<[u8; 32]>) -> [u8; 32] { fn rng_seed(&mut self, label: &'static [u8]) -> [u8; 32] {
if additional_entropy.is_some() {
transcript.append_message(b"additional_entropy", &additional_entropy.unwrap());
}
let mut seed = [0; 32]; let mut seed = [0; 32];
transcript.challenge_bytes(label, &mut seed); transcript.challenge_bytes(label, &mut seed);
seed seed