From a770e29b0cb10abd104f4ef6609bae6b3fe31615 Mon Sep 17 00:00:00 2001
From: Luke Parker <lukeparker5132@gmail.com>
Date: Tue, 31 May 2022 02:12:14 -0400
Subject: [PATCH] Remove rng_seed's additional entropy

It was never used as we derive entropy via the other fields in the
transcript, and explicitly add fields directly as needed for entropy.

Also drops an unused crate and corrects a bug in FROST's Schnorr
implementation which used the Group's generator, instead of the Curve's.

Also updates the Monero crate's description.
---
 coins/monero/Cargo.toml                   | 2 +-
 coins/monero/src/ringct/clsag/multisig.rs | 2 +-
 coins/monero/src/wallet/send/multisig.rs  | 8 ++++----
 crypto/frost/Cargo.toml                   | 1 -
 crypto/frost/src/algorithm.rs             | 2 +-
 crypto/frost/src/schnorr.rs               | 3 +--
 crypto/transcript/src/lib.rs              | 8 ++------
 crypto/transcript/src/merlin.rs           | 6 +-----
 8 files changed, 11 insertions(+), 21 deletions(-)

diff --git a/coins/monero/Cargo.toml b/coins/monero/Cargo.toml
index daa99000..e9fdeaf0 100644
--- a/coins/monero/Cargo.toml
+++ b/coins/monero/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "monero-serai"
 version = "0.1.0"
-description = "Implementation of Monero transaction signing in Rust"
+description = "A modern Monero wallet library"
 license = "MIT"
 authors = ["Luke Parker <lukeparker5132@gmail.com>"]
 edition = "2021"
diff --git a/coins/monero/src/ringct/clsag/multisig.rs b/coins/monero/src/ringct/clsag/multisig.rs
index 284ec45c..896ec409 100644
--- a/coins/monero/src/ringct/clsag/multisig.rs
+++ b/coins/monero/src/ringct/clsag/multisig.rs
@@ -206,7 +206,7 @@ impl Algorithm<Ed25519> for ClsagMultisig {
     // process even if they have access to commitments (specifically, the ring index being signed
     // for, along with the mask which should not only require knowing the shared keys yet also the
     // input commitment masks)
-    let mut rng = ChaCha12Rng::from_seed(self.transcript.rng_seed(b"decoy_responses", None));
+    let mut rng = ChaCha12Rng::from_seed(self.transcript.rng_seed(b"decoy_responses"));
 
     self.msg = Some(msg.try_into().expect("CLSAG message should be 32-bytes"));
 
diff --git a/coins/monero/src/wallet/send/multisig.rs b/coins/monero/src/wallet/send/multisig.rs
index 12427561..1656b1ee 100644
--- a/coins/monero/src/wallet/send/multisig.rs
+++ b/coins/monero/src/wallet/send/multisig.rs
@@ -90,7 +90,7 @@ impl SignableTransaction {
     let decoys = Decoys::select(
       // Using a seeded RNG with a specific height, committed to above, should make these decoys
       // committed to. They'll also be committed to later via the TX message as a whole
-      &mut ChaCha12Rng::from_seed(transcript.rng_seed(b"decoys", None)),
+      &mut ChaCha12Rng::from_seed(transcript.rng_seed(b"decoys")),
       rpc,
       height,
       &self.inputs
@@ -216,7 +216,7 @@ impl StateMachine for TransactionMachine {
 
       // Not invalid outputs due to already doing a dummy prep
       let (commitments, output_masks) = self.signable.prepare_outputs(
-        &mut ChaCha12Rng::from_seed(self.transcript.rng_seed(b"tx_keys", None)),
+        &mut ChaCha12Rng::from_seed(self.transcript.rng_seed(b"tx_keys")),
         uniqueness(
           &images.iter().map(|image| Input::ToKey {
             amount: 0,
@@ -230,7 +230,7 @@ impl StateMachine for TransactionMachine {
       self.signable.prepare_transaction(
         &commitments,
         Bulletproofs::new(
-          &mut ChaCha12Rng::from_seed(self.transcript.rng_seed(b"bulletproofs", None)),
+          &mut ChaCha12Rng::from_seed(self.transcript.rng_seed(b"bulletproofs")),
           &commitments
         ).unwrap()
       )
@@ -249,7 +249,7 @@ impl StateMachine for TransactionMachine {
     }
     sorted.sort_by(|x, y| x.2.compress().to_bytes().cmp(&y.2.compress().to_bytes()).reverse());
 
-    let mut rng = ChaCha12Rng::from_seed(self.transcript.rng_seed(b"pseudo_out_masks", None));
+    let mut rng = ChaCha12Rng::from_seed(self.transcript.rng_seed(b"pseudo_out_masks"));
     let mut sum_pseudo_outs = Scalar::zero();
     while sorted.len() != 0 {
       let value = sorted.remove(0);
diff --git a/crypto/frost/Cargo.toml b/crypto/frost/Cargo.toml
index efe7a5a0..e0ae0b85 100644
--- a/crypto/frost/Cargo.toml
+++ b/crypto/frost/Cargo.toml
@@ -14,7 +14,6 @@ rand_core = "0.6"
 ff = "0.11"
 group = "0.11"
 
-blake2 = "0.10"
 transcript = { path = "../transcript" }
 
 multiexp = { path = "../multiexp", features = ["batch"] }
diff --git a/crypto/frost/src/algorithm.rs b/crypto/frost/src/algorithm.rs
index 6f221879..87943ff8 100644
--- a/crypto/frost/src/algorithm.rs
+++ b/crypto/frost/src/algorithm.rs
@@ -73,7 +73,7 @@ impl Transcript for IetfTranscript {
     self.0.clone()
   }
 
-  fn rng_seed(&mut self, _: &'static [u8], _: Option<[u8; 32]>) -> [u8; 32] {
+  fn rng_seed(&mut self, _: &'static [u8]) -> [u8; 32] {
     unimplemented!()
   }
 }
diff --git a/crypto/frost/src/schnorr.rs b/crypto/frost/src/schnorr.rs
index 31cc6065..238d8f4b 100644
--- a/crypto/frost/src/schnorr.rs
+++ b/crypto/frost/src/schnorr.rs
@@ -1,7 +1,6 @@
 use rand_core::{RngCore, CryptoRng};
 
 use ff::Field;
-use group::Group;
 
 use multiexp::BatchVerifier;
 
@@ -46,7 +45,7 @@ pub(crate) fn batch_verify<C: Curve, R: RngCore + CryptoRng>(
   rng: &mut R,
   triplets: &[(u16, C::G, C::F, SchnorrSignature<C>)]
 ) -> Result<(), u16> {
-  let mut values = [(C::F::one(), C::G::generator()); 3];
+  let mut values = [(C::F::one(), C::generator()); 3];
   let mut batch = BatchVerifier::new(triplets.len(), C::little_endian());
   for triple in triplets {
     // s = r + ca
diff --git a/crypto/transcript/src/lib.rs b/crypto/transcript/src/lib.rs
index 483267a2..5a04ada8 100644
--- a/crypto/transcript/src/lib.rs
+++ b/crypto/transcript/src/lib.rs
@@ -11,7 +11,7 @@ pub trait Transcript {
   fn domain_separate(&mut self, label: &[u8]);
   fn append_message(&mut self, label: &'static [u8], message: &[u8]);
   fn challenge(&mut self, label: &'static [u8]) -> Vec<u8>;
-  fn rng_seed(&mut self, label: &'static [u8], additional_entropy: Option<[u8; 32]>) -> [u8; 32];
+  fn rng_seed(&mut self, label: &'static [u8]) -> [u8; 32];
 }
 
 #[derive(Clone, Debug)]
@@ -49,11 +49,7 @@ impl<D: Digest> Transcript for DigestTranscript<D> {
     D::new().chain_update(&self.0).finalize().to_vec()
   }
 
-  fn rng_seed(&mut self, label: &'static [u8], additional_entropy: Option<[u8; 32]>) -> [u8; 32] {
-    if additional_entropy.is_some() {
-      self.append_message(b"additional_entropy", &additional_entropy.unwrap());
-    }
-
+  fn rng_seed(&mut self, label: &'static [u8]) -> [u8; 32] {
     let mut seed = [0; 32];
     seed.copy_from_slice(&self.challenge(label)[0 .. 32]);
     seed
diff --git a/crypto/transcript/src/merlin.rs b/crypto/transcript/src/merlin.rs
index 88dfa9c3..18671545 100644
--- a/crypto/transcript/src/merlin.rs
+++ b/crypto/transcript/src/merlin.rs
@@ -30,11 +30,7 @@ impl Transcript for MerlinTranscript {
     challenge
   }
 
-  fn rng_seed(&mut self, label: &'static [u8], additional_entropy: Option<[u8; 32]>) -> [u8; 32] {
-    if additional_entropy.is_some() {
-      transcript.append_message(b"additional_entropy", &additional_entropy.unwrap());
-    }
-
+  fn rng_seed(&mut self, label: &'static [u8]) -> [u8; 32] {
     let mut seed = [0; 32];
     transcript.challenge_bytes(label, &mut seed);
     seed