Commit graph

135 commits

Author SHA1 Message Date
github-actions[bot]
8e53522780
November 2022 - Rust Nightly Update (#144)
* Update nightly

* Have the latest nightly clippy pass

Co-authored-by: GitHub Actions <>
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2022-11-01 00:03:36 -05:00
Luke Parker
6eaed17952
Inline FROST processing functions into the machines' impls
This was done for the DKG and this similarly cleans up here.
2022-10-29 05:10:07 -04:00
Luke Parker
2379855b31
Create a dedicated crate for the DKG (#141)
* Add dkg crate

* Remove F_len and G_len

They're generally no longer used.

* Replace hash_to_vec with a provided method around associated type H: Digest

Part of trying to minimize this trait so it can be moved elsewhere. Vec, 
which isn't std, may have been a blocker.

* Encrypt secret shares within the FROST library

Reduces requirements on callers in order to be correct.

* Update usage of Zeroize within FROST

* Inline functions in key_gen

There was no reason to have them separated as they were. sign probably 
has the same statement available, yet that isn't the focus right now.

* Add a ciphersuite package which provides hash_to_F

* Set the Ciphersuite version to something valid

* Have ed448 export Scalar/FieldElement/Point at the top level

* Move FROST over to Ciphersuite

* Correct usage of ff in ciphersuite

* Correct documentation handling

* Move Schnorr signatures to their own crate

* Remove unused feature from schnorr

* Fix Schnorr tests

* Split DKG into a separate crate

* Add serialize to Commitments and SecretShare

Helper for buf = vec![]; .write(buf).unwrap(); buf

* Move FROST over to the new dkg crate

* Update Monero lib to latest FROST

* Correct ethereum's usage of features

* Add serialize to GeneratorProof

* Add serialize helper function to FROST

* Rename AddendumSerialize to WriteAddendum

* Update processor

* Slight fix to processor
2022-10-29 03:54:42 -05:00
Luke Parker
cbceaff678
Create dedicated message structures for FROST messages (#140)
* Create message types for FROST key gen

Taking in reader borrows absolutely wasn't feasible. Now, proper types
which can be read (and then passed directly, without a mutable borrow)
exist for key_gen. sign coming next.

* Move FROST signing to messages, not Readers/Writers/Vec<u8>

Also takes the nonce handling code and makes a dedicated file for it, 
aiming to resolve complex types and make the code more legible by 
replacing its previously inlined state.

* clippy

* Update FROST tests

* read_signature_share

* Update the Monero library to the new FROST packages

* Update processor to latest FROST

* Tweaks to terminology and documentation
2022-10-25 23:17:25 -05:00
Luke Parker
19488cf446
Fill out Cargo.tomls
Updated missing fields/sections, even if some won't be used, to 
standardize.

Also made FROST tests feature-gated.
2022-10-15 23:46:22 -04:00
Luke Parker
a0a54eb0de
Update to FROST v11
Ensures random functions never return zero. This, combined with a check 
commitments aren't 0, causes no serialized elements to be 0.

Also directly reads their vectors.
2022-10-13 00:38:36 -04:00
Luke Parker
2b7c9378c0
Update to FROST v10
Further expands documentation to near-completion.
2022-09-29 07:08:20 -04:00
Luke Parker
7870084b9e
Add further FROST documentation 2022-09-29 06:02:43 -04:00
Luke Parker
ca091a5f04
Expand and correct documentation 2022-09-29 05:25:29 -04:00
Luke Parker
19cd609cba
Use doc_auto_cfg 2022-09-29 04:47:55 -04:00
Luke Parker
8b0f0a3713
Publish an alpha version of the Monero crate (#123)
* Label the version as an alpha

* Add versions to Cargo.tomls

* Update to Zeroize 1.5

* Drop patch versions from monero-serai Cargo.toml

* Add a repository field

* Move generators to OUT_DIR

IIRC, I didn't do this originally as it constantly re-generated them. 
Unfortunately, since cargo is complaining about .generators, we have to.

* Remove Timelock::fee_weight

Transaction::fee_weight's has a comment, "Assumes Timelock::None since 
this library won't let you create a TX with a timelock". Accordingly, 
this is dead code.
2022-09-29 01:24:33 -05:00
Luke Parker
65c20638ce
fmt/clippy 2022-09-17 04:35:08 -04:00
Luke Parker
7d4fcdea9e
Update FROST Ed448 per request 2022-09-16 12:16:37 -04:00
Luke Parker
31b64b3082
Update according to the latest clippy 2022-09-04 21:23:38 -04:00
Luke Parker
081b9a1975
FROST Ed448 (#107)
* Theoretical ed448 impl

* Fixes

* Basic tests

* More efficient scalarmul

Precomputes a table to minimize additions required.

* Add a torsion test

* Split into a constant and variable time backend

The variable time one is still far too slow, at 53s for the tests (~5s a 
scalarmul). It should be usable as a PoC though.

* Rename unsafe Ed448

It's not only unworthy of the Serai branding and deserves more clarity
in the name.

* Add wide reduction to ed448

* Add Zeroize to Ed448

* Rename Ed448 group.rs to point.rs

* Minor lint to FROST

* Ed448 ciphersuite with 8032 test vector

* Macro out the backend fields

* Slight efficiency improvement to point decompression

* Disable the multiexp test in FROST for Ed448

* fmt + clippy ed448

* Fix an infinite loop in the constant time ed448 backend

* Add b"chal" to the 8032 context string for Ed448

Successfully tests against proposed vectors for the FROST IETF draft.

* Fix fmt and clippy

* Use a tabled pow algorithm in ed448's const backend

* Slight tweaks to variable time backend

Stop from_repr(MODULUS) from passing.

* Use extended points

Almost two orders of magnitude faster.

* Efficient ed448 doubling

* Remove the variable time backend

With the recent performance improvements, the constant time backend is 
now 4x faster than the variable time backend was. While the variable 
time backend remains much faster, and the constant time backend is still 
slow compared to other libraries, it's sufficiently performant now.

The FROST test, which runs a series of multiexps over the curve, does 
take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s.

While 50x slower than secp256k1 is horrible, it's ~1.5 orders of 
magntiude, which is close enough to the desire stated in 
https://github.com/serai-dex/serai/issues/108 to meet it.

Largely makes this library safe to use.

* Correct constants in ed448

* Rename unsafe-ed448 to minimal-ed448

Enables all FROST tests against it.

* No longer require the hazmat feature to use ed448

* Remove extraneous as_refs
2022-08-29 02:32:59 -05:00
Luke Parker
a8a00598e4
Update to FROST v8 2022-08-26 05:59:43 -04:00
Luke Parker
5d7798c5fb
FROST clippy 2022-08-13 09:46:54 -04:00
Luke Parker
280fc441a7
Lint FROST
Corrects ertrors introduced a couple commits ago as well.
2022-08-13 08:50:59 -04:00
Luke Parker
454b73aec3
Add FROST key promotion
Closes https://github.com/serai-dex/serai/issues/72.

Adds a trait, with a commented impl for a semi-unsafe niche feature, 
which will be used in https://github.com/serai-dex/serai/issues/73.
2022-08-13 08:50:59 -04:00
Luke Parker
885d816309
Use a non-constant generator in FROST 2022-08-13 08:50:59 -04:00
Luke Parker
6f776ff004
Recalculate the group key instead of serializing it
Solves an issue with promotion.
2022-08-13 08:50:59 -04:00
Luke Parker
73205c5f96
Transcript the offset as a point
Potentially improves privacy with the reversion to a coordinator 
setting, where the coordinator is the only party with the offset. While 
any signer (or anyone) can claim key A relates to B, they can't prove it 
without the discrete log of the offset. This enables creating a signing 
process without a known offset, while maintaining a consistent 
transcript format.

Doesn't affect security given a static generator. Does have a slight 
effect on performance.
2022-08-13 08:50:59 -04:00
Luke Parker
a423c23c1e
Use zeroize instead of 0-sets 2022-08-12 01:14:13 -04:00
Luke Parker
797be71eb3
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs

Also makes bit decomposition constant time for a given amount of 
outputs.

* Fix nonce reuse for single-signer CLSAG

* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data

* Zeroize private keys and nonces

* Merge prepare_outputs and prepare_transactions

* Ensure CLSAG is constant time

* Pass by borrow where needed, bug fixes

The past few commitments have been one in-progress chunk which I've 
broken up as best read.

* Add Zeroize to FROST structs

Still needs to zeroize internally, yet next step. Not quite as 
aggressive as Monero, partially due to the limitations of HashMaps, 
partially due to less concern about metadata, yet does still delete a 
few smaller items of metadata (group key, context string...).

* Remove Zeroize from most Monero multisig structs

These structs largely didn't have private data, just fields with private 
data, yet those fields implemented ZeroizeOnDrop making them already 
covered. While there is still traces of the transaction left in RAM, 
fully purging that was never the intent.

* Use Zeroize within dleq

bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.

* Use Zeroize for random_nonce

It isn't perfect, due to the inability to zeroize the digest, and due to 
kp256 requiring a few transformations. It does the best it can though.

Does move the per-curve random_nonce to a provided one, which is allowed 
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.

* Use Zeroize on FROST keygen/signing

* Zeroize constant time multiexp.

* Correct when FROST keygen zeroizes

* Move the FROST keys Arc into FrostKeys

Reduces amount of instances in memory.

* Manually implement Debug for FrostCore to not leak the secret share

* Misc bug fixes

* clippy + multiexp test bug fixes

* Correct FROST key gen share summation

It leaked our own share for ourself.

* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
Luke Parker
755dc84859
Replace rand with rand_core where possible
Turns out rand_core offers OsRng.
2022-07-27 05:45:08 -04:00
Luke Parker
76a7160ea5
Correct clippy warnings
Currently intended to be done with:
cargo clippy --features "recommended merlin batch serialize experimental 
ed25519 ristretto p256 secp256k1 multisig" -- -A clippy::type_complexity 
-A dead_code
2022-07-22 02:35:17 -04:00
Luke Parker
e67033a207 Apply an initial set of rustfmt rules 2022-07-16 15:16:30 -05:00
Luke Parker
5ede5b9e8f
Update the DLEq proof for any amount of generators
The two-generator limit wasn't required nor beneficial. This does 
theoretically optimize FROST, yet not for any current constructions. A 
follow up proof which would optimize current constructions has been 
noted in #38.

Adds explicit no_std support to the core DLEq proof.

Closes #34.
2022-07-13 23:29:48 -04:00
Luke Parker
6cc8ce840e
Move FROST to Read
Fixes https://github.com/serai-dex/serai/issues/33 and 
https://github.com/serai-dex/serai/issues/35. Also fixes a few potential 
panics/DoS AFAICT.
2022-07-13 02:38:29 -04:00
Luke Parker
d81f6270c7
Version bump and synchronize packages
Uses "dleq-serai", instead of "dleq", as the dleq crate name hasn't been 
transferred yet :(
2022-07-12 03:38:59 -04:00
Luke Parker
0b55fb6e06
Use a multiexp to calculate the FROST group nonce 2022-07-12 03:21:22 -04:00
Luke Parker
3e5cb5ea1f
Add the proposed IETF secp256k1 FROST vectors as NonIetf 2022-07-12 03:20:50 -04:00
Luke Parker
94f380f857
Update to FROST v7 2022-07-12 02:45:18 -04:00
Luke Parker
5eb61f3a87
Fix https://github.com/serai-dex/serai/issues/14. 2022-07-12 01:28:01 -04:00
Luke Parker
f7106f09ed
Add further must_uses 2022-07-07 14:28:42 -04:00
Luke Parker
daadb43875
Minor doc updates 2022-07-02 11:04:01 -04:00
Luke Parker
133c1222ad
Remove C::F_len, C::G_len for F_len<C> and G_len<C>
Relies on the ff/group API, instead of the custom Curve type.

Also removes GENERATOR_TABLE, only used by dalek, as we should provide 
our own API for that over ff/group instead. This slows down the FROST 
tests, under debug, by about 0.2-0.3s. Ed25519 and Ristretto together 
take ~2.15 seconds now.
2022-06-30 18:46:18 -04:00
Luke Parker
7890827a48
Implement variable-sized windows into multiexp
Closes https://github.com/serai-dex/serai/issues/17 by using the 
PrimeFieldBits API to do so.

Should greatly speed up small batches, along with batches in the 
hundreds. Saves almost a full second on the cross-group DLEq proof.
2022-06-30 09:30:24 -04:00
Luke Parker
1430b189bf
Enable no_std on transcript
Removes the Vec challenge for an associated type.

Fixes the merlin feature which was horribly broken.

Also adds no_std to dalek-ff-group.
2022-06-28 04:02:56 -04:00
Luke Parker
3de7a76051
Use GroupEncoding instead of Curve's from_slice/to_bytes
Increases usage of standardization while expanding dalek_ff_group.

Closes https://github.com/serai-dex/serai/issues/26 by moving 
dfg::EdwardsPoint to only be for the prime subgroup.
2022-06-28 01:25:26 -04:00
Luke Parker
ac17645fc8
Rename MultisigParams/MultisigKeys/MultisigView to Frost* 2022-06-28 00:09:41 -04:00
Luke Parker
60254a0171
Reorganize FROST's handling of curves 2022-06-24 19:47:19 -04:00
Luke Parker
7ee9581d67
Use a macro to generate the Secp256k1/P-256 curves 2022-06-24 08:44:12 -04:00
Luke Parker
1caa6a9606
Enforce FROST StateMachine progression via the type system
A comment on the matter was made in 
https://github.com/serai-dex/serai/issues/12. While I do believe the API 
is slightly worse, I appreciate the explicitness.
2022-06-24 08:40:14 -04:00
Luke Parker
382ff75455
Replace FROST's ff/group usage with just group 2022-06-19 06:36:47 -04:00
Luke Parker
06e37623d0
Slightly clean FROST's dalek support 2022-06-19 05:13:42 -04:00
Luke Parker
27751d8d98
Successfully get processor to send a transaction out
Modifies FROST behavior so group_key has the offset applied regardless 
of if view was called. The unaltered secret_share and 
verification_shares (as they have differing values depending on the 
signing set) are no longer publicly accessible.
2022-06-09 02:48:53 -04:00
Luke Parker
714ce68deb
Add pippenger under multiexp 2022-06-07 00:02:10 -04:00
Luke Parker
301634dd8e
Add support for Ristretto
Replaces P-256 as the curve used for testing FROST.
2022-06-06 04:22:49 -04:00
Luke Parker
e0ce6e5c12
Add Ed25519 to FROST and remove expand_xmd for elliptic_curve's
Doesn't fully utilize ec's hash2curve module as k256 Scalar doesn't have 
FromOkm for some reason. The previously present bigint reduction is 
preserved.

Updates ff/group to 0.12.

Premised on https://github.com/cfrg/draft-irtf-cfrg-frost/pull/205 being 
merged, as while this Ed25519 is vector compliant, it's technically not 
spec compliant due to that conflict.
2022-06-06 02:18:25 -04:00
Luke Parker
55a895d65a
Add first party support for k256 and p256 under feature flags
Given the lack of vectors for k256, it's currently a match of the p256 
spec (with a distinct context string), yet p256 is still always used 
when testing.
2022-06-05 16:08:51 -04:00
Luke Parker
fdb1929ba4
Move to Arc/RwLock 2022-06-05 07:33:15 -04:00
Luke Parker
3617ed4eb7
Use const values for our traits where we can 2022-06-03 23:22:08 -04:00
Luke Parker
9b52cf4d20
Generalize out the FROST test for signing/signing with an offset
Moves Schnorr signature tests from test_curve to the new test_schnorr, 
which is more a test_frost.

Relevant to https://github.com/serai-dex/serai/issues/9.
2022-06-03 19:08:25 -04:00
Luke Parker
f8d127bf8a
Add FROST Ed25519 test vectors 2022-06-03 03:56:17 -04:00
Luke Parker
b4cd29f49a
Finish implementing FROST v5
Identity check for P256 and H4 was all that was needed.
2022-06-03 02:00:38 -04:00
Luke Parker
44452d9bfe
Verify being FROST v5 compliant
No functional changes have been made to signing, with solely slight API 
changes being made.

Technically not actually FROST v5 compatible, due to differing on zero 
checks and randomness, yet the vectors do confirm the core algorithm. 
For any valid FROST implementation, this will be interoperable if they 
can successfully communicate. For any devious FROST implementation, this 
will be fingerprintable, yet should still be valid.

Relevant to https://github.com/serai-dex/serai/issues/9 as any curve can 
now specify vectors for itself and be tested against them.

Moves the FROST testing curve from k256 to p256. Does not expose p256 
despite being compliant. It's not at a point I'm happy with it, notably 
regarding hash to curve, and I'm not sure I care to support p256. If it 
has value to the larger FROST ecosystem...
2022-06-03 01:25:46 -04:00
Luke Parker
de9710413a
Use big endian throughout FROST
Slightly changes serialization of keys to be t-n-i instead of n-t-i.
2022-06-03 00:55:41 -04:00
Luke Parker
7b4c5dbe52
Remove rng_seed's additional entropy
It was never used as we derive entropy via the other fields in the 
transcript, and explicitly add fields directly as needed for entropy.

Also drops an unused crate and corrects a bug in FROST's Schnorr 
implementation which used the Group's generator, instead of the Curve's.

Also updates the Monero crate's description.
2022-05-31 02:12:14 -04:00
Luke Parker
bfa15283f5
Remove Monero's test FROST file in favor of FROST"s exposed test files
Moves private key recovery for given keys into FROST.
2022-05-30 16:37:51 -04:00
Luke Parker
ce4c899422
Remove "as", except for floats as needed
Also updates Bulletproofs from C to not be length prefixed, yet rather 
have Rust calculate their length.

Corrects an error in key_gen where self was blamed, instead of the 
faulty participant.
2022-05-30 02:14:34 -04:00
Luke Parker
614badfef7
Lint FROST key gen and optimize sign for the success path 2022-05-30 01:46:30 -04:00
Luke Parker
5a1f273cd5
Correct verification share calculation from n * n * t to just n * t
Reduces key gen execution time by a factor of 3.
2022-05-29 19:52:27 -04:00
Luke Parker
f6a41d9836
Clarify FROST's test-provided secp256k1 curve definition 2022-05-28 21:06:25 -04:00
Luke Parker
244d1b6b68
Clarify FROST's hash functions
Updates the keygen challenge to a format not vulnerable to collisions 
due to having multiple variable length elements.
2022-05-28 20:34:44 -04:00
Luke Parker
e950b9682b
Add get_block_transactions_possible which automatically filters invalid TXs
Adds Clone to the various error types, which they already should've had.
2022-05-28 05:08:37 -04:00
Luke Parker
469ce9106b
Implement a binary search for BatchVerifier blame
Adds helper functions to verify and, on failure, blame, which move an 
unwrap from callers into multiexp where it's guaranteed to be safe and 
easily verified to be proper.

Closes https://github.com/serai-dex/serai/issues/10.
2022-05-27 02:01:01 -04:00
Luke Parker
c90e957e6a
Add a batch verifier to multiexp, along with constant time variants
Saves ~8% during FROST key gen, even with dropping a vartime for a 
constant time (as needed to be secure), as the new batch verifier is 
used where batch verification previously wasn't. The new multiexp API 
itself also offered a very slight performance boost, which may solely be 
a measurement error.

Handles most of https://github.com/serai-dex/serai/issues/10. The blame 
function isn't binary searched nor randomly sorted yet.
2022-05-27 00:52:44 -04:00
Luke Parker
4ddb838a5a
Drop the Monero patch version spec now that it's no longer relevant
Also adds a comment to FROST.
2022-05-26 03:52:45 -04:00
Luke Parker
d45473b2bd
Add a test for batch verification 2022-05-25 00:57:00 -04:00
Luke Parker
868a63a6b2
Start modularizing FROST tests as per https://github.com/serai-dex/serai/issues/9 2022-05-25 00:29:20 -04:00
Luke Parker
1eaf2f897b
Consolidate Schnorr code in FROST 2022-05-25 00:22:00 -04:00
Luke Parker
d67d6f2f98
Add PartialEq to structs 2022-05-25 00:21:01 -04:00
Luke Parker
d10c6e16dc
Move FROST to HashMaps
Honestly, the borrowed keys are frustrating, and this probably reduces 
performance while no longer offering an order when iterating. That said, 
they enable full u16 indexing and should mildly improve the API.

Cleans the Proof of Knowledge handling present in key gen.
2022-05-24 21:41:14 -04:00
Luke Parker
5ff65bd268
Move the DLEQProof to a Transcript 2022-05-23 03:24:33 -04:00
Luke Parker
90fccc444b
Remove .is_some() unwraps for if let Some 2022-05-18 01:08:54 -04:00
Luke Parker
fd0fd77cf5
Simplify Monero key image handling 2022-05-17 19:15:53 -04:00
Luke Parker
dcd909a839
Allow offsetting FROST keys multiple times 2022-05-14 15:04:08 -04:00
Luke Parker
3dab26cd94
Correct discrepancies with the IETF draft
While all the transcript/extension code works as expected, which means, 
they don't cause any conflicts, n was still capped at u64::MAX at 
creation when it needs to be u16. Furthermore, participant index and 
scalars/points were little endian instead of big endian/curve dependent.
2022-05-06 07:49:18 -04:00
Luke Parker
964cb357e6
Use a global transcript 2022-05-06 07:33:08 -04:00
Luke Parker
cc9c2e0d40
Use dom-sep tags in the transcripts
Also simplifies form in some places
2022-05-06 01:35:23 -04:00
Luke Parker
9a42391b75
Cleanup which makes transcript optional, only required for multisig 2022-05-03 08:49:46 -04:00
Luke Parker
56fc39fff5
Fix https://github.com/serai-dex/serai/issues/5 2022-05-03 07:42:09 -04:00
Luke Parker
bf257b3a1f
Transcript crate with both a merlin backend and a basic label len value backend
Moves binding factor/seeded RNGs over to the transcripts.
2022-05-03 07:20:24 -04:00
Luke Parker
87f38cafe4
Rename sign folder to crypto
Inspired by #3 and #5.
2022-05-03 00:46:50 -04:00