Commit graph

523 commits

Author SHA1 Message Date
Luke Parker
885d816309
Use a non-constant generator in FROST 2022-08-13 08:50:59 -04:00
Luke Parker
6f776ff004
Recalculate the group key instead of serializing it
Solves an issue with promotion.
2022-08-13 08:50:59 -04:00
Luke Parker
73205c5f96
Transcript the offset as a point
Potentially improves privacy with the reversion to a coordinator 
setting, where the coordinator is the only party with the offset. While 
any signer (or anyone) can claim key A relates to B, they can't prove it 
without the discrete log of the offset. This enables creating a signing 
process without a known offset, while maintaining a consistent 
transcript format.

Doesn't affect security given a static generator. Does have a slight 
effect on performance.
2022-08-13 08:50:59 -04:00
J. Burfeind
a58b3a133c
Add implementation for is_odd() (#79)
in dalek-ff-group

Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2022-08-12 15:05:48 -05:00
J. Burfeind
169d5e26ca
Add constant EDWARDS_D in dalek-ff-group (#78) 2022-08-12 15:00:55 -05:00
Luke Parker
96a49d8a88
Remove unnecessary parentheses 2022-08-12 15:53:48 -04:00
Luke Parker
a423c23c1e
Use zeroize instead of 0-sets 2022-08-12 01:14:13 -04:00
Luke Parker
42a3d38b48
Zeroize buffer used in Scalar::from_hash
from_hash is frequently used for private key/nonce generation, making 
this buffer a copy of private keys/nonces.
2022-08-04 14:40:54 -04:00
Luke Parker
797be71eb3
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs

Also makes bit decomposition constant time for a given amount of 
outputs.

* Fix nonce reuse for single-signer CLSAG

* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data

* Zeroize private keys and nonces

* Merge prepare_outputs and prepare_transactions

* Ensure CLSAG is constant time

* Pass by borrow where needed, bug fixes

The past few commitments have been one in-progress chunk which I've 
broken up as best read.

* Add Zeroize to FROST structs

Still needs to zeroize internally, yet next step. Not quite as 
aggressive as Monero, partially due to the limitations of HashMaps, 
partially due to less concern about metadata, yet does still delete a 
few smaller items of metadata (group key, context string...).

* Remove Zeroize from most Monero multisig structs

These structs largely didn't have private data, just fields with private 
data, yet those fields implemented ZeroizeOnDrop making them already 
covered. While there is still traces of the transaction left in RAM, 
fully purging that was never the intent.

* Use Zeroize within dleq

bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.

* Use Zeroize for random_nonce

It isn't perfect, due to the inability to zeroize the digest, and due to 
kp256 requiring a few transformations. It does the best it can though.

Does move the per-curve random_nonce to a provided one, which is allowed 
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.

* Use Zeroize on FROST keygen/signing

* Zeroize constant time multiexp.

* Correct when FROST keygen zeroizes

* Move the FROST keys Arc into FrostKeys

Reduces amount of instances in memory.

* Manually implement Debug for FrostCore to not leak the secret share

* Misc bug fixes

* clippy + multiexp test bug fixes

* Correct FROST key gen share summation

It leaked our own share for ourself.

* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
Luke Parker
a30568ff57
Add init function for BP statics
Considering they take 7 seconds to generate, thanks to #68, the ability 
to generate them at the start instead of on first BP is greatly 
appreciated.

Also performs minor cleanups regarding BPs.
2022-08-02 15:52:27 -04:00
Luke Parker
9221dbf048
Bulletproofs+ Verification 2022-08-01 23:30:24 -04:00
Luke Parker
d07fe34a24
Reorganize bulletproofs 2022-07-31 23:12:45 -04:00
Luke Parker
1c4707136c
Ban unreduced points in Monero 2022-07-31 22:46:46 -04:00
Luke Parker
6340607827
BP Verification (#75)
* Use a struct in an enum for Bulletproofs

* verification bp working for just one proof

* add some more assert tests

* Clean BP verification

* Implement batch verification

* Add a debug assertion w_cache isn't 0

It's initially set to 0 and if not updated, this would be broken.

* Correct Monero workflow yaml

* Again try to corrent Monero workflow yaml

* Again

* Finally

* Re-apply weights as required by Bulletproofs

Removing these was insecure and my fault.

Co-authored-by: DangerousFreedom <dangfreed@tutanota.com>
2022-07-31 21:45:53 -05:00
Luke Parker
0453b6cbc1
Correct Monero workflow yaml 2022-07-30 19:32:27 -04:00
Luke Parker
8f76e67f57
Rename dleq-serai to dleq 2022-07-30 18:35:39 -04:00
Luke Parker
aeb85b47ba
Reduce amount of tests run in monero-tests 2022-07-30 04:49:55 -04:00
Luke Parker
534f951165
Consolidate GitHub CI actions, split out Monero (#71)
* Consolidate GitHub CI actions, split out Monero

build now includes the specified Rust toolchain/components.

Added a test dependencies action which grabs Foundry and Monero.

Split the Monero v14 job into a matrixed job in its own workflow flow. 
It's now only run when Monero has changes.

* Correct Monero unit/integration tests run timing

Additionally tests a feature-less Monero build.

Also removes a pointless Monero file, which already should have been 
removed, causing this workflow to be triggered.

* Correct exclusion and paths

Updates to FROST should re-run the Monero tests to ensure it didn't 
introduce API incompatibilities.
2022-07-29 09:36:09 -05:00
Luke Parker
33c55b8506
Extend the test workflow to also test against Monero v14 (v0.17) 2022-07-28 23:31:27 -04:00
Luke Parker
bba93a64c2
Implement view tags 2022-07-27 06:29:14 -04:00
Luke Parker
755dc84859
Replace rand with rand_core where possible
Turns out rand_core offers OsRng.
2022-07-27 05:45:08 -04:00
Luke Parker
023afaf7ce
Bulletproofs+ (#70)
* Initial stab at Bulletproofs+

Does move around the existing Bulletproofs code, does still work as 
expected.

* Make the Clsag RCTPrunable type work with BP and BP+

* Initial set of BP+ bug fixes

* Further bug fixes

* Remove RING_LEN as a constant

* Monero v16 TX support

Doesn't implement view tags, nor going back to v14, nor the updated BP 
clawback logic.

* Support v14 and v16 at the same time
2022-07-27 04:05:43 -05:00
Luke Parker
37b8e3c025
Modularize Bulletproofs in prep for BP+ 2022-07-26 08:06:56 -04:00
Luke Parker
60e15d5160
Remove re-calculation of N
Moves most BP assertions to debug.
2022-07-26 05:31:15 -04:00
Luke Parker
7d9834be87
Correct clippy, remove Monero build depends 2022-07-26 03:48:46 -04:00
Luke Parker
696da8228e
Remove Monero as a dependency
Introduces missing CLSAG checks. The only difference now should be the 
additional rejection of torsioned points, which is relevant to 
https://github.com/serai-dex/serai/issues/25. Considering this is only 
currently used for FROST verification, this should be fine.

Closes https://github.com/serai-dex/serai/issues/19 by making it 
irrelevant.

Increases priority of https://github.com/serai-dex/serai/issues/68, as 
now it's used for the BP generators which are done at first-proof.

Also merges BP's stricter hash_to_point with the library's, since CLSAG 
has the same bound.
2022-07-26 03:25:57 -04:00
Luke Parker
ee29f6d6d8
Implement Bulletproofs in Rust (#69)
* Initial attempt at Bulletproofs

I don't know why this doesn't work. The generators and hash_cache lines
up without issue. AFAICT, the inner product proof is valid as well, as
are all included formulas.

* Add yinvpow asserts

* Clean code

* Correct bad imports

* Fix the definition of TWO_N

Bulletproofs work now :D

* Tidy up a bit

* fmt + clippy

* Compile a variety of XMR dependencies with optimizations, even under dev

The Rust bulletproof implementation is 8% slower than C right now, under 
release. This is acceptable, even if suboptimal. Under debug, they take 
a quarter of a second to two seconds though, depending on the amount of 
outputs, which justifies this move.

* Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
Luke Parker
3711e13009
Remove old duplicates of the AGPL-3.0 2022-07-24 09:33:08 -04:00
Luke Parker
f25bd88030
Test bulletproof creation and verification 2022-07-24 09:00:55 -04:00
Luke Parker
10ab467160
Don't use a constant for H yet re-calculate it 2022-07-24 08:57:33 -04:00
Luke Parker
1362764b2b
Only cache cargo registry and git 2022-07-23 07:10:25 -04:00
Luke Parker
18a1d15f78
Use composite actions in CI (#65)
* Attempt composite actions in CI

* Remove needs monero-daemon for the action

* Correct actions folder layout

* Remove empty inputs/outputs, add shell

* Try moving env declaration spot

* Remove usage of env

* Cached Rust composite action

* Replace [] with ""

Remove empty outputs
2022-07-23 06:05:31 -05:00
Luke Parker
bb3ffa9021
Add social links to the README 2022-07-23 05:20:36 -04:00
Luke Parker
5b80ead18c
Remove the build CI task now
It's identical to test, except it doesn't grab Foundry nor spawn a 
Monero regtest daemon. It doubles the amount of time test takes though, 
as it's doing everything twice.

While it may have value as a component, we're not using it like that 
right now, and if desired, we could add it back. While it may have value 
to produce binaries, we're note doing that either, and it wasn't 
building in release.
2022-07-23 05:07:13 -04:00
Luke Parker
42d62c38b9
Remove the Monero build (#64)
* Remove the Monero CMake and make

* Download the Monero daemon instead of building it

* Cache the Monero daemon

Prevents hammering the Monero servers, should reduce CI time.

* Correct YAML

* Add back sodium-dev

* Create an independent job for downloading the Monero daemon

Improves parallelism while decreasing the amount of work re-done if 
build fails. Also increases modularity.

* Correct Monero job definition

* Correct skipping the Monero download on cache hit
2022-07-23 03:35:32 -05:00
Luke Parker
b80c1bec4c
Update dependencies
ethers previously used a git spec due to depending on not-yet-published 
updates. Now that they've been released, a properly published version is 
used.
2022-07-22 12:36:30 -04:00
noot
bd93d6ec8a
set up CI (#45)
* begin to setup ci

* attempt to fix build

* fix paths in build script

* fix

* satisfy clippy

* update fmt check to use nightly

* use nightly for build

* fmt

* fix fmt install

* update test script

* try to fix fmt

* merge w develop

* maybe fix build script

* install wasm toolchain

* install solc-select, use stable rust to build

* Correct clippy warnings

Currently intended to be done with:
cargo clippy --features "recommended merlin batch serialize experimental 
ed25519 ristretto p256 secp256k1 multisig" -- -A clippy::type_complexity 
-A dead_code

* Remove try-runtime

I tried to get this to work for an hour. I have no idea why it doesn't, 
yet it doesn't.

* Rewrite workflow

Splits tasks into a more modular structure. Also uses 
actions-rs/toolchain.

* Add a cache

* Immediately try building ETH/Monero while this is fixed

Adds solc-select use.

* Revert selective advance building of ETH/XMR

ETH builds now, so it hopefully should work now.

Also moves from on push to on push to develop.

* Install Monero runtime dependencies

Specify missing Rust toolchain setting.

* Correct multi-line commands

* Fix multi-line commands again

Cache Ethereum artifacts.

* Add Foundry

* Move Clippy under build

* Minimal rustup

Adds wasm Clippy. Puts Clippy before build.

* Use nightly clippy

* Remove old clippy call from under build

* Have the Monero build script support ARCH specification

Requirement for CI.

* Add WASM toolchain to tests

* Remove Ethereum cache which did not work as needed

* Remove extraneous quotes which broke builds on Arch

Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2022-07-22 11:31:29 -05:00
Luke Parker
76a7160ea5
Correct clippy warnings
Currently intended to be done with:
cargo clippy --features "recommended merlin batch serialize experimental 
ed25519 ristretto p256 secp256k1 multisig" -- -A clippy::type_complexity 
-A dead_code
2022-07-22 02:35:17 -04:00
Luke Parker
3556584478
Correct missing escape sequences 2022-07-22 00:32:18 -04:00
Luke Parker
9f6eb205b0 Address review comments from #53 2022-07-21 23:30:51 -05:00
Luke Parker
e617783f09 Correct bullet point spacing 2022-07-21 23:30:51 -05:00
Luke Parker
146db6836e Update Validators doc per https://github.com/serai-dex/serai/issues/55 2022-07-21 23:30:51 -05:00
Luke Parker
cd8b116fd8 cargo fmt 2022-07-21 23:30:51 -05:00
Luke Parker
a733bb5865 Update the ink! contract to match docs 2022-07-21 23:30:51 -05:00
Luke Parker
375967b165 Correct table formatting and clarify network docs 2022-07-21 23:30:51 -05:00
Luke Parker
4186bc93a8 Update the Multisig documentation to be designed around Validator Sets 2022-07-21 23:30:51 -05:00
Luke Parker
1994dab634 Add documentation on Validator Sets 2022-07-21 23:30:51 -05:00
Luke Parker
d320af06a7 Rewrite the Validators spec
Moves Oraclization/Report to Consensus for now.
2022-07-21 23:30:51 -05:00
Luke Parker
1b461ca5be Split Validators and Consensus docs 2022-07-21 23:30:51 -05:00
Luke Parker
895fbae2dc Add a full success route test for the multisig contract 2022-07-21 23:30:51 -05:00