Commit graph

74 commits

Author SHA1 Message Date
Luke Parker
5d7798c5fb
FROST clippy 2022-08-13 09:46:54 -04:00
Luke Parker
280fc441a7
Lint FROST
Corrects ertrors introduced a couple commits ago as well.
2022-08-13 08:50:59 -04:00
Luke Parker
454b73aec3
Add FROST key promotion
Closes https://github.com/serai-dex/serai/issues/72.

Adds a trait, with a commented impl for a semi-unsafe niche feature, 
which will be used in https://github.com/serai-dex/serai/issues/73.
2022-08-13 08:50:59 -04:00
Luke Parker
885d816309
Use a non-constant generator in FROST 2022-08-13 08:50:59 -04:00
Luke Parker
6f776ff004
Recalculate the group key instead of serializing it
Solves an issue with promotion.
2022-08-13 08:50:59 -04:00
Luke Parker
73205c5f96
Transcript the offset as a point
Potentially improves privacy with the reversion to a coordinator 
setting, where the coordinator is the only party with the offset. While 
any signer (or anyone) can claim key A relates to B, they can't prove it 
without the discrete log of the offset. This enables creating a signing 
process without a known offset, while maintaining a consistent 
transcript format.

Doesn't affect security given a static generator. Does have a slight 
effect on performance.
2022-08-13 08:50:59 -04:00
Luke Parker
a423c23c1e
Use zeroize instead of 0-sets 2022-08-12 01:14:13 -04:00
Luke Parker
797be71eb3
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs

Also makes bit decomposition constant time for a given amount of 
outputs.

* Fix nonce reuse for single-signer CLSAG

* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data

* Zeroize private keys and nonces

* Merge prepare_outputs and prepare_transactions

* Ensure CLSAG is constant time

* Pass by borrow where needed, bug fixes

The past few commitments have been one in-progress chunk which I've 
broken up as best read.

* Add Zeroize to FROST structs

Still needs to zeroize internally, yet next step. Not quite as 
aggressive as Monero, partially due to the limitations of HashMaps, 
partially due to less concern about metadata, yet does still delete a 
few smaller items of metadata (group key, context string...).

* Remove Zeroize from most Monero multisig structs

These structs largely didn't have private data, just fields with private 
data, yet those fields implemented ZeroizeOnDrop making them already 
covered. While there is still traces of the transaction left in RAM, 
fully purging that was never the intent.

* Use Zeroize within dleq

bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.

* Use Zeroize for random_nonce

It isn't perfect, due to the inability to zeroize the digest, and due to 
kp256 requiring a few transformations. It does the best it can though.

Does move the per-curve random_nonce to a provided one, which is allowed 
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.

* Use Zeroize on FROST keygen/signing

* Zeroize constant time multiexp.

* Correct when FROST keygen zeroizes

* Move the FROST keys Arc into FrostKeys

Reduces amount of instances in memory.

* Manually implement Debug for FrostCore to not leak the secret share

* Misc bug fixes

* clippy + multiexp test bug fixes

* Correct FROST key gen share summation

It leaked our own share for ourself.

* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
Luke Parker
8f76e67f57
Rename dleq-serai to dleq 2022-07-30 18:35:39 -04:00
Luke Parker
755dc84859
Replace rand with rand_core where possible
Turns out rand_core offers OsRng.
2022-07-27 05:45:08 -04:00
Luke Parker
76a7160ea5
Correct clippy warnings
Currently intended to be done with:
cargo clippy --features "recommended merlin batch serialize experimental 
ed25519 ristretto p256 secp256k1 multisig" -- -A clippy::type_complexity 
-A dead_code
2022-07-22 02:35:17 -04:00
Luke Parker
e67033a207 Apply an initial set of rustfmt rules 2022-07-16 15:16:30 -05:00
Luke Parker
5ede5b9e8f
Update the DLEq proof for any amount of generators
The two-generator limit wasn't required nor beneficial. This does 
theoretically optimize FROST, yet not for any current constructions. A 
follow up proof which would optimize current constructions has been 
noted in #38.

Adds explicit no_std support to the core DLEq proof.

Closes #34.
2022-07-13 23:29:48 -04:00
Luke Parker
6cc8ce840e
Move FROST to Read
Fixes https://github.com/serai-dex/serai/issues/33 and 
https://github.com/serai-dex/serai/issues/35. Also fixes a few potential 
panics/DoS AFAICT.
2022-07-13 02:38:29 -04:00
Luke Parker
d81f6270c7
Version bump and synchronize packages
Uses "dleq-serai", instead of "dleq", as the dleq crate name hasn't been 
transferred yet :(
2022-07-12 03:38:59 -04:00
Luke Parker
0b55fb6e06
Use a multiexp to calculate the FROST group nonce 2022-07-12 03:21:22 -04:00
Luke Parker
3e5cb5ea1f
Add the proposed IETF secp256k1 FROST vectors as NonIetf 2022-07-12 03:20:50 -04:00
Luke Parker
94f380f857
Update to FROST v7 2022-07-12 02:45:18 -04:00
Luke Parker
5eb61f3a87
Fix https://github.com/serai-dex/serai/issues/14. 2022-07-12 01:28:01 -04:00
Luke Parker
f7106f09ed
Add further must_uses 2022-07-07 14:28:42 -04:00
Luke Parker
daadb43875
Minor doc updates 2022-07-02 11:04:01 -04:00
Luke Parker
133c1222ad
Remove C::F_len, C::G_len for F_len<C> and G_len<C>
Relies on the ff/group API, instead of the custom Curve type.

Also removes GENERATOR_TABLE, only used by dalek, as we should provide 
our own API for that over ff/group instead. This slows down the FROST 
tests, under debug, by about 0.2-0.3s. Ed25519 and Ristretto together 
take ~2.15 seconds now.
2022-06-30 18:46:18 -04:00
Luke Parker
7890827a48
Implement variable-sized windows into multiexp
Closes https://github.com/serai-dex/serai/issues/17 by using the 
PrimeFieldBits API to do so.

Should greatly speed up small batches, along with batches in the 
hundreds. Saves almost a full second on the cross-group DLEq proof.
2022-06-30 09:30:24 -04:00
Luke Parker
1430b189bf
Enable no_std on transcript
Removes the Vec challenge for an associated type.

Fixes the merlin feature which was horribly broken.

Also adds no_std to dalek-ff-group.
2022-06-28 04:02:56 -04:00
Luke Parker
3de7a76051
Use GroupEncoding instead of Curve's from_slice/to_bytes
Increases usage of standardization while expanding dalek_ff_group.

Closes https://github.com/serai-dex/serai/issues/26 by moving 
dfg::EdwardsPoint to only be for the prime subgroup.
2022-06-28 01:25:26 -04:00
Luke Parker
ac17645fc8
Rename MultisigParams/MultisigKeys/MultisigView to Frost* 2022-06-28 00:09:41 -04:00
Luke Parker
7b70baaa96
Rename transcript-trait to flexible-transcript
It offers the trait for flexibility, yet it also offers an incredibly 
competent (and logical) transcript format, along with a Merlin wrapper.
2022-06-27 09:02:21 -04:00
Luke Parker
60254a0171
Reorganize FROST's handling of curves 2022-06-24 19:47:19 -04:00
Luke Parker
7ee9581d67
Use a macro to generate the Secp256k1/P-256 curves 2022-06-24 08:44:12 -04:00
Luke Parker
1caa6a9606
Enforce FROST StateMachine progression via the type system
A comment on the matter was made in 
https://github.com/serai-dex/serai/issues/12. While I do believe the API 
is slightly worse, I appreciate the explicitness.
2022-06-24 08:40:14 -04:00
Luke Parker
71fca06120
Correct monero/processor dependencies 2022-06-19 07:52:03 -04:00
Luke Parker
b49f8cbe4f
Prepare FROST for publishing 2022-06-19 06:38:06 -04:00
Luke Parker
382ff75455
Replace FROST's ff/group usage with just group 2022-06-19 06:36:47 -04:00
Luke Parker
b4c1adcdfb
Rename FROST's official package name and update documentation 2022-06-19 05:21:22 -04:00
Luke Parker
06e37623d0
Slightly clean FROST's dalek support 2022-06-19 05:13:42 -04:00
Luke Parker
27751d8d98
Successfully get processor to send a transaction out
Modifies FROST behavior so group_key has the offset applied regardless 
of if view was called. The unaltered secret_share and 
verification_shares (as they have differing values depending on the 
signing set) are no longer publicly accessible.
2022-06-09 02:48:53 -04:00
Luke Parker
714ce68deb
Add pippenger under multiexp 2022-06-07 00:02:10 -04:00
Luke Parker
301634dd8e
Add support for Ristretto
Replaces P-256 as the curve used for testing FROST.
2022-06-06 04:22:49 -04:00
Luke Parker
e0ce6e5c12
Add Ed25519 to FROST and remove expand_xmd for elliptic_curve's
Doesn't fully utilize ec's hash2curve module as k256 Scalar doesn't have 
FromOkm for some reason. The previously present bigint reduction is 
preserved.

Updates ff/group to 0.12.

Premised on https://github.com/cfrg/draft-irtf-cfrg-frost/pull/205 being 
merged, as while this Ed25519 is vector compliant, it's technically not 
spec compliant due to that conflict.
2022-06-06 02:18:25 -04:00
Luke Parker
55a895d65a
Add first party support for k256 and p256 under feature flags
Given the lack of vectors for k256, it's currently a match of the p256 
spec (with a distinct context string), yet p256 is still always used 
when testing.
2022-06-05 16:08:51 -04:00
Luke Parker
fdb1929ba4
Move to Arc/RwLock 2022-06-05 07:33:15 -04:00
Luke Parker
3617ed4eb7
Use const values for our traits where we can 2022-06-03 23:22:08 -04:00
Luke Parker
9b52cf4d20
Generalize out the FROST test for signing/signing with an offset
Moves Schnorr signature tests from test_curve to the new test_schnorr, 
which is more a test_frost.

Relevant to https://github.com/serai-dex/serai/issues/9.
2022-06-03 19:08:25 -04:00
Luke Parker
f8d127bf8a
Add FROST Ed25519 test vectors 2022-06-03 03:56:17 -04:00
Luke Parker
b4cd29f49a
Finish implementing FROST v5
Identity check for P256 and H4 was all that was needed.
2022-06-03 02:00:38 -04:00
Luke Parker
44452d9bfe
Verify being FROST v5 compliant
No functional changes have been made to signing, with solely slight API 
changes being made.

Technically not actually FROST v5 compatible, due to differing on zero 
checks and randomness, yet the vectors do confirm the core algorithm. 
For any valid FROST implementation, this will be interoperable if they 
can successfully communicate. For any devious FROST implementation, this 
will be fingerprintable, yet should still be valid.

Relevant to https://github.com/serai-dex/serai/issues/9 as any curve can 
now specify vectors for itself and be tested against them.

Moves the FROST testing curve from k256 to p256. Does not expose p256 
despite being compliant. It's not at a point I'm happy with it, notably 
regarding hash to curve, and I'm not sure I care to support p256. If it 
has value to the larger FROST ecosystem...
2022-06-03 01:25:46 -04:00
Luke Parker
de9710413a
Use big endian throughout FROST
Slightly changes serialization of keys to be t-n-i instead of n-t-i.
2022-06-03 00:55:41 -04:00
Luke Parker
7b4c5dbe52
Remove rng_seed's additional entropy
It was never used as we derive entropy via the other fields in the 
transcript, and explicitly add fields directly as needed for entropy.

Also drops an unused crate and corrects a bug in FROST's Schnorr 
implementation which used the Group's generator, instead of the Curve's.

Also updates the Monero crate's description.
2022-05-31 02:12:14 -04:00
Luke Parker
bfa15283f5
Remove Monero's test FROST file in favor of FROST"s exposed test files
Moves private key recovery for given keys into FROST.
2022-05-30 16:37:51 -04:00
Luke Parker
ce4c899422
Remove "as", except for floats as needed
Also updates Bulletproofs from C to not be length prefixed, yet rather 
have Rust calculate their length.

Corrects an error in key_gen where self was blamed, instead of the 
faulty participant.
2022-05-30 02:14:34 -04:00