Commit graph

39 commits

Author SHA1 Message Date
Luke Parker
9af111b4aa
Rust 1.79, cargo update 2024-06-13 15:57:08 -04:00
Luke Parker
c2fffb9887
Correct a couple years of accumulated typos 2023-12-17 02:06:51 -05:00
Luke Parker
ea3af28139
Add workspace lints 2023-12-17 00:04:47 -05:00
github-actions[bot]
a2089c61fb
November 2023 - Rust Nightly Update (#413)
* Update nightly

* Replace .get(0) with .first()

* allow new clippy lint

---------

Co-authored-by: GitHub Actions <>
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-11-03 05:28:07 -04:00
Luke Parker
93b1656f86
Meaningful changes from aggressive-clippy
I do want to enable a few specific lints, yet aggressive-clippy as a whole
isn't worthwhile.
2023-07-08 11:29:07 -04:00
Luke Parker
1e448dec21
Add no_std support to transcript, dalek-ff-group, ed448, ciphersuite, multiexp, schnorr, and monero-generators
transcript, dalek-ff-group, ed449, and ciphersuite are all usable with no_std
alone. The rest additionally require alloc.

Part of #279.
2023-04-22 04:38:47 -04:00
Luke Parker
47be373eb0
Resolve #268 by adding a Zeroize to DigestTranscript which writes a full block
This is a 'better-than-nothing' attempt to invalidate its state.

Also replaces black_box features with usage of the rustversion crate.
2023-03-28 04:43:10 -04:00
Luke Parker
79aff5d4c8
ff 0.13 (#269)
* Partial move to ff 0.13

It turns out the newly released k256 0.12 isn't on ff 0.13, preventing further
work at this time.

* Update all crates to work on ff 0.13

The provided curves still need to be expanded to fit the new API.

* Finish adding dalek-ff-group ff 0.13 constants

* Correct FieldElement::product definition

Also stops exporting macros.

* Test most new parts of ff 0.13

* Additionally test ff-group-tests with BLS12-381 and the pasta curves

We only tested curves from RustCrypto. Now we test a curve offered by zk-crypto,
the group behind ff/group, and the pasta curves, which is by Zcash (though
Zcash developers are also behind zk-crypto).

* Finish Ed448

Fully specifies all constants, passes all tests in ff-group-tests, and finishes moving to ff-0.13.

* Add RustCrypto/elliptic-curves to allowed git repos

Needed due to k256/p256 incorrectly defining product.

* Finish writing ff 0.13 tests

* Add additional comments to dalek

* Further comments

* Update ethereum-serai to ff 0.13
2023-03-28 04:38:01 -04:00
Luke Parker
8d4d630e0f
Fully document crypto/ 2023-03-20 20:10:00 -04:00
Luke Parker
ad470bc969
\#242 Expand usage of black_box/zeroize
This commit greatly expands the usage of black_box/zeroize on bits, as it
originally should have. It is likely overkill, leading to less efficient
code generation, yet does its best to be comprehensive where comprehensiveness
is extremely annoying to achieve.

In the future, this usage of black_box may be desirable to move to its own
crate.

Credit to @AaronFeickert for identifying the original commit was incomplete.
2023-03-10 06:27:44 -05:00
Luke Parker
c37cc0b4e2
Update Zeroize pin to ^1.5 from 1.5 2023-03-07 02:29:59 -05:00
Luke Parker
6fec95b1a7
3.7.2 Remove code randomizing which side odd elements end up on
This could still be gamed. For [1, 2, 3], the options were ([1], [2, 3]) or
([1, 2], [3]). This means 2 would always have the maximum round count, and
thus this is still game-able. There's no point to keeping its complexity
accordingly when the algorithm is as efficient as it is.

While a proper random could be used to satisfy 3.7.2, it'd break the
expected determinism.
2023-03-02 11:16:00 -05:00
Luke Parker
1d2ebdca62
3.7.6, 3.7.7 Optimize multiexp implementations 2023-03-02 06:12:02 -05:00
Luke Parker
e5329b42e6
3.7.5 Further document multiexp functions 2023-03-02 05:49:45 -05:00
Luke Parker
8661111fc6
3.7.3 Add multiexp tests 2023-03-02 03:58:48 -05:00
Luke Parker
93d5f41917
3.7.2 Randomize which side odd elements end up on during blame 2023-03-02 01:55:08 -05:00
Luke Parker
15d6be1678
3.7.1 Deduplicate flattening/zeroize code
While the prior intent was to avoid zeroizing for vartime verification, which
is assumed to not have any private data, this simplifies the code and promotes
safety.
2023-03-02 01:13:07 -05:00
Luke Parker
0ca52a36ee
Restore type complexity checks in CI
Passes due to the remaining type complexity cases being explicitly allowed.
2022-12-01 17:50:52 -05:00
Luke Parker
d714f2202d
Document multiexp
Bumps the crate version to enable publishing.
2022-11-07 18:31:20 -05:00
Luke Parker
19cd609cba
Use doc_auto_cfg 2022-09-29 04:47:55 -04:00
Luke Parker
65c20638ce
fmt/clippy 2022-09-17 04:35:08 -04:00
Luke Parker
75c3cdc5af
Comment the previous commit
Despite the intentions of https://github.com/serai-dex/serai/issues/85, 
it failed to be practically faster :/

Updates a DLEq test to be better as well.
2022-08-13 19:43:18 -04:00
Luke Parker
062cd77a98
Close https://github.com/serai-dex/serai/issues/85 2022-08-13 19:21:12 -04:00
Luke Parker
a423c23c1e
Use zeroize instead of 0-sets 2022-08-12 01:14:13 -04:00
Luke Parker
797be71eb3
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs

Also makes bit decomposition constant time for a given amount of 
outputs.

* Fix nonce reuse for single-signer CLSAG

* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data

* Zeroize private keys and nonces

* Merge prepare_outputs and prepare_transactions

* Ensure CLSAG is constant time

* Pass by borrow where needed, bug fixes

The past few commitments have been one in-progress chunk which I've 
broken up as best read.

* Add Zeroize to FROST structs

Still needs to zeroize internally, yet next step. Not quite as 
aggressive as Monero, partially due to the limitations of HashMaps, 
partially due to less concern about metadata, yet does still delete a 
few smaller items of metadata (group key, context string...).

* Remove Zeroize from most Monero multisig structs

These structs largely didn't have private data, just fields with private 
data, yet those fields implemented ZeroizeOnDrop making them already 
covered. While there is still traces of the transaction left in RAM, 
fully purging that was never the intent.

* Use Zeroize within dleq

bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.

* Use Zeroize for random_nonce

It isn't perfect, due to the inability to zeroize the digest, and due to 
kp256 requiring a few transformations. It does the best it can though.

Does move the per-curve random_nonce to a provided one, which is allowed 
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.

* Use Zeroize on FROST keygen/signing

* Zeroize constant time multiexp.

* Correct when FROST keygen zeroizes

* Move the FROST keys Arc into FrostKeys

Reduces amount of instances in memory.

* Manually implement Debug for FrostCore to not leak the secret share

* Misc bug fixes

* clippy + multiexp test bug fixes

* Correct FROST key gen share summation

It leaked our own share for ourself.

* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
Luke Parker
76a7160ea5
Correct clippy warnings
Currently intended to be done with:
cargo clippy --features "recommended merlin batch serialize experimental 
ed25519 ristretto p256 secp256k1 multisig" -- -A clippy::type_complexity 
-A dead_code
2022-07-22 02:35:17 -04:00
Luke Parker
e67033a207 Apply an initial set of rustfmt rules 2022-07-16 15:16:30 -05:00
Luke Parker
44e0a41ca1 Add Classic/Compromise DLEqs and a benchmark
Formatted results from my laptop:

EfficientLinear had a average prove time of 188ms
EfficientLinear had a average verify time of 126ms

CompromiseLinear had a average prove time of 176ms
CompromiseLinear had a average verify time of 141ms

ConciseLinear had a average prove time of 191ms
ConciseLinear had a average verify time of 160ms

ClassicLinear had a average prove time of 214ms
ClassicLinear had a average verify time of 159ms

There is a decent error margin here. Concise is a drop-in replacement 
for Classic, in practice *not* theory. Efficient is optimal for 
performance, yet largest. Compromise is a middleground.
2022-07-07 08:36:23 -05:00
Luke Parker
7d80b6e854 Fix multiexp for debug as well
Oversight on my end.
2022-07-07 08:36:23 -05:00
Luke Parker
fd817a6958 Fix multiexp for 0-length batches 2022-07-07 08:36:23 -05:00
Luke Parker
fe9a8d9495
Add must_use to the BatchVerifier's verify -> bool functions 2022-07-05 19:11:31 -04:00
Luke Parker
3acfb5b7d2
Use a do-while in multiexp, first to please a friend, and then to annoy them
It's also legitimately cleaner code.
2022-07-02 14:22:17 -04:00
Luke Parker
a81a76da3b
Ensure multiexp never uses a zero-weight in its batch verifier 2022-07-02 14:08:04 -04:00
Luke Parker
7890827a48
Implement variable-sized windows into multiexp
Closes https://github.com/serai-dex/serai/issues/17 by using the 
PrimeFieldBits API to do so.

Should greatly speed up small batches, along with batches in the 
hundreds. Saves almost a full second on the cross-group DLEq proof.
2022-06-30 09:30:24 -04:00
Luke Parker
714ce68deb
Add pippenger under multiexp 2022-06-07 00:02:10 -04:00
Luke Parker
ce4c899422
Remove "as", except for floats as needed
Also updates Bulletproofs from C to not be length prefixed, yet rather 
have Rust calculate their length.

Corrects an error in key_gen where self was blamed, instead of the 
faulty participant.
2022-05-30 02:14:34 -04:00
Luke Parker
469ce9106b
Implement a binary search for BatchVerifier blame
Adds helper functions to verify and, on failure, blame, which move an 
unwrap from callers into multiexp where it's guaranteed to be safe and 
easily verified to be proper.

Closes https://github.com/serai-dex/serai/issues/10.
2022-05-27 02:01:01 -04:00
Luke Parker
c90e957e6a
Add a batch verifier to multiexp, along with constant time variants
Saves ~8% during FROST key gen, even with dropping a vartime for a 
constant time (as needed to be secure), as the new batch verifier is 
used where batch verification previously wasn't. The new multiexp API 
itself also offered a very slight performance boost, which may solely be 
a measurement error.

Handles most of https://github.com/serai-dex/serai/issues/10. The blame 
function isn't binary searched nor randomly sorted yet.
2022-05-27 00:52:44 -04:00
Luke Parker
56fc39fff5
Fix https://github.com/serai-dex/serai/issues/5 2022-05-03 07:42:09 -04:00