Commit graph

388 commits

Author SHA1 Message Date
Luke Parker
a4cd1755a5
Document dalek-ff-group
Removes from_canonical_bytes, which is offered by from_repr, and 
from_bytes_mod_order, which frequently leads to security issues.

Removes the pointless Compressed type.

Adds From u8/u16/u32 as they're pleasant.
2022-07-09 02:01:22 -04:00
Luke Parker
5942492519
Support transcripts with 32-byte challenges in the DLEq crate 2022-07-09 00:38:30 -04:00
Luke Parker
f8760ae021
Document the transcript library 2022-07-09 00:37:39 -04:00
Luke Parker
c5f75568cd
Add READMEs to Serai and Monero 2022-07-08 16:23:26 -04:00
Luke Parker
f50fd76b31
Fix dalek_ff_group invert 2022-07-08 16:05:17 -04:00
Luke Parker
41eaa1b124
Increase constant-time properties of from_repr/from_bytes
It's still not perfect, as it's Option -> CtOption which requires an 
unwrap_or, but...
2022-07-08 15:30:56 -04:00
Luke Parker
a4c2f71610
Correct DLEq README column title 2022-07-07 14:28:53 -04:00
Luke Parker
f7106f09ed
Add further must_uses 2022-07-07 14:28:42 -04:00
Luke Parker
6c76458063
Statically link Monero
Closes https://github.com/serai-dex/serai/issues/11.
2022-07-07 14:13:24 -04:00
Luke Parker
7d13be5797
Update Monero submodule 2022-07-07 09:53:31 -04:00
Luke Parker
b69337a3a6
Tweak DLEq README and rename the experimental_cross_group feature to just experimental 2022-07-07 09:52:10 -04:00
Luke Parker
7cbdcc8ae6 Add a comprehensive README to dleq 2022-07-07 08:36:23 -05:00
Luke Parker
72afcf1f06 Mark cross_group as experimental
While all of Serai can be argued as experimental, the DLEq proof is 
especially so, as it's lacking any formal proofs over its theory.

Also adds doc(hidden) to the generic DLEqProof, now prefixed with __.
2022-07-07 08:36:23 -05:00
Luke Parker
4dbf50243b Fix serialization
This enabled getting the proof sizes, which are:
- ConciseLinear had a proof size of 44607 bytes
- CompromiseLinear had a proof size of 48765 bytes
- ClassicLinear had a proof size of 56829 bytes
- EfficientLinear had a proof size of 65145 byte
2022-07-07 08:36:23 -05:00
Luke Parker
c3a0e0375d Save an inversion on AOS verification
Incredibly minor, just nagged me
2022-07-07 08:36:23 -05:00
Luke Parker
44e0a41ca1 Add Classic/Compromise DLEqs and a benchmark
Formatted results from my laptop:

EfficientLinear had a average prove time of 188ms
EfficientLinear had a average verify time of 126ms

CompromiseLinear had a average prove time of 176ms
CompromiseLinear had a average verify time of 141ms

ConciseLinear had a average prove time of 191ms
ConciseLinear had a average verify time of 160ms

ClassicLinear had a average prove time of 214ms
ClassicLinear had a average verify time of 159ms

There is a decent error margin here. Concise is a drop-in replacement 
for Classic, in practice *not* theory. Efficient is optimal for 
performance, yet largest. Compromise is a middleground.
2022-07-07 08:36:23 -05:00
Luke Parker
1a2e6dc5cf Consolidate concise/efficient and clean 2022-07-07 08:36:23 -05:00
Luke Parker
7d80b6e854 Fix multiexp for debug as well
Oversight on my end.
2022-07-07 08:36:23 -05:00
Luke Parker
9f8d1aa220 Clean AOS signatures 2022-07-07 08:36:23 -05:00
Luke Parker
fd817a6958 Fix multiexp for 0-length batches 2022-07-07 08:36:23 -05:00
Luke Parker
26cee46950 Add a batch verified DLEq
The batch verified one offers ~23% faster verification. While this 
massively refactors for modularity, I'm still not happy with the DLEq 
proofs at the top level, nor am I happy with the AOS signatures. I'll 
work on cleaning them up more later.
2022-07-07 08:36:23 -05:00
Luke Parker
fe9a8d9495
Add must_use to the BatchVerifier's verify -> bool functions 2022-07-05 19:11:31 -04:00
Luke Parker
0ff5ee8292
Correct e_0 to actually be e_0 2022-07-05 15:14:04 -04:00
Luke Parker
2ac5ea651c
Use a ring per 2 bits instead of per bit
Reduces proof size by 21.5% without notable computational complexity 
changes. I wouldn't be surprised if it has minor ones, yet I can't 
comment in which way they go without further review.

Bit now verifies it can successfully complete the ring under debug, 
slightly increasing debug times.
2022-07-05 15:01:33 -04:00
Luke Parker
d17c9587b5
Fix mutual_scalar_from_bytes
It didn't properly grab bits, nor did it double as needed.
2022-07-05 08:10:16 -04:00
Luke Parker
bfe34ea6f8
Make the cross-group DLEq bit components pow 2, not the commitments as a whole
Few percent faster. Enables accumulating the current bit's point 
representation, whereas the blinding keys can't be accumulated. Also 
theoretically enables pre-computation of the bit points, removing 
hundreds of additions from the proof. When tested, this was less 
performant, possibly due to cache/heap allocation.
2022-07-05 05:18:12 -04:00
Luke Parker
3acfb5b7d2
Use a do-while in multiexp, first to please a friend, and then to annoy them
It's also legitimately cleaner code.
2022-07-02 14:22:17 -04:00
Luke Parker
a81a76da3b
Ensure multiexp never uses a zero-weight in its batch verifier 2022-07-02 14:08:04 -04:00
Luke Parker
daadb43875
Minor doc updates 2022-07-02 11:04:01 -04:00
Luke Parker
ed569ea9c8
Make multiexp an optional, yet default, feature for DLEq 2022-07-02 02:48:27 -04:00
Luke Parker
2e35854215
Rewrite the cross-group DLEq API to not allow proving for biased scalars 2022-07-02 02:46:40 -04:00
Luke Parker
7e058f1c08
Remove cross-group DLEq challenge bias as possible 2022-07-02 02:45:26 -04:00
Luke Parker
1c98f15d5b
Make the cross-group DLEqProof prove constant time
Instead of having if statements for the bits, it now has constant time 
ops. While there are still if statements guiding the proof itself, they 
aren't dependent on the data within.
2022-07-01 15:27:16 -04:00
Luke Parker
133c1222ad
Remove C::F_len, C::G_len for F_len<C> and G_len<C>
Relies on the ff/group API, instead of the custom Curve type.

Also removes GENERATOR_TABLE, only used by dalek, as we should provide 
our own API for that over ff/group instead. This slows down the FROST 
tests, under debug, by about 0.2-0.3s. Ed25519 and Ristretto together 
take ~2.15 seconds now.
2022-06-30 18:46:18 -04:00
Luke Parker
4eafbe2a09
Unify the cross-group DLEq challenges
This does reduce the strength of the challenges to that of the weaker 
field, yet that doesn't have any impact on whether or not this is ZK due 
to the key being shared across fields.

Saves ~8kb.
2022-06-30 11:23:13 -04:00
Luke Parker
7890827a48
Implement variable-sized windows into multiexp
Closes https://github.com/serai-dex/serai/issues/17 by using the 
PrimeFieldBits API to do so.

Should greatly speed up small batches, along with batches in the 
hundreds. Saves almost a full second on the cross-group DLEq proof.
2022-06-30 09:30:24 -04:00
Luke Parker
5d115f1e1c
Implement a DLEq library
While Serai only needs the simple DLEq which was already present under 
monero, this migrates the implementation of the cross-group DLEq I 
maintain into Serai. This was to have full access to the ecosystem of 
libraries built under Serai while also ensuring support for it.

The cross_group curve, which is extremely experimental, is feature 
flagged off. So is the built in serialization functionality, as this 
should be possible to make nostd once const generics are full featured, 
yet the implemented serialization adds the additional barrier of 
std::io.
2022-06-30 05:42:29 -04:00
Luke Parker
2e168204f0
Implement PrimeFieldBits for dalek-ff-group 2022-06-30 03:17:15 -04:00
Luke Parker
0a690f5632
Update the reference link for Guaranteed Addresses
Also lints Cargo.toml.
2022-06-30 03:16:51 -04:00
Luke Parker
f125f441ba
Bump dalek-ff-group version so its prime subgroup edit can be published 2022-06-28 22:21:17 -04:00
Luke Parker
1430b189bf
Enable no_std on transcript
Removes the Vec challenge for an associated type.

Fixes the merlin feature which was horribly broken.

Also adds no_std to dalek-ff-group.
2022-06-28 04:02:56 -04:00
Luke Parker
3de7a76051
Use GroupEncoding instead of Curve's from_slice/to_bytes
Increases usage of standardization while expanding dalek_ff_group.

Closes https://github.com/serai-dex/serai/issues/26 by moving 
dfg::EdwardsPoint to only be for the prime subgroup.
2022-06-28 01:25:26 -04:00
Luke Parker
ac17645fc8
Rename MultisigParams/MultisigKeys/MultisigView to Frost* 2022-06-28 00:09:41 -04:00
Luke Parker
7c86e4593a
Implement Guaranteed Addresses
Closes https://github.com/serai-dex/serai/issues/27.

monero-rs is now solely used for Extra encoding.
2022-06-28 00:01:20 -04:00
Luke Parker
7b70baaa96
Rename transcript-trait to flexible-transcript
It offers the trait for flexibility, yet it also offers an incredibly 
competent (and logical) transcript format, along with a Merlin wrapper.
2022-06-27 09:02:21 -04:00
Luke Parker
020d246b8f
Reorganize processor's handling of coins 2022-06-24 19:53:41 -04:00
Luke Parker
60254a0171
Reorganize FROST's handling of curves 2022-06-24 19:47:19 -04:00
Luke Parker
6775fb471e
Version bump Transcript trait
Preparation for yanking 0.1.0 which had an insecure format due to lack 
of length prefixing labels.
2022-06-24 18:59:28 -04:00
Luke Parker
a46524f0ce
Supply a RecommendedTranscript type of DT<Blake2b512> 2022-06-24 18:58:24 -04:00
Luke Parker
963d9eab10
Have DigestTranscript require a 32-byte hash
Needed to generate RNG seeds without panicking. Mandates at least a 
128-bit security level.
2022-06-24 18:49:04 -04:00