Commit graph

516 commits

Author SHA1 Message Date
Luke Parker
8b7e7b1a1c
3.8.4 Don't additionally transcript keys with challenges 2023-03-02 09:14:36 -05:00
Luke Parker
053f07a281
3.8.3 Document challenge requirements 2023-03-02 09:08:53 -05:00
Luke Parker
08f9287107
3.8.2 Add Ed25519 RFC 8032 test vectors 2023-03-02 09:06:03 -05:00
Luke Parker
35043d2889
3.8.1 Document RFC 8032 compatibility 2023-03-02 08:45:09 -05:00
Luke Parker
1d2ebdca62
3.7.6, 3.7.7 Optimize multiexp implementations 2023-03-02 06:12:02 -05:00
Luke Parker
e5329b42e6
3.7.5 Further document multiexp functions 2023-03-02 05:49:45 -05:00
Luke Parker
408494f8de
3.7.4 Always zeroize multiexp data
This was handled as part of handling 3.7.1
2023-03-02 03:59:49 -05:00
Luke Parker
8661111fc6
3.7.3 Add multiexp tests 2023-03-02 03:58:48 -05:00
Luke Parker
93d5f41917
3.7.2 Randomize which side odd elements end up on during blame 2023-03-02 01:55:08 -05:00
Luke Parker
15d6be1678
3.7.1 Deduplicate flattening/zeroize code
While the prior intent was to avoid zeroizing for vartime verification, which
is assumed to not have any private data, this simplifies the code and promotes
safety.
2023-03-02 01:13:07 -05:00
Luke Parker
2fd5cd8161
3.6.9 Add several tests to the FROST library
Offset signing is now tested. Multi-nonce algorithms are now tested.
Multi-generator nonce algorithms are now tested. More fault cases are now tested
as well.
2023-03-01 08:02:45 -05:00
Luke Parker
c6284b85a4
3.6.8 Simplify offset splitting
This wasn't done prior to be 'leaderless', as now the participant with the
lowest ID has an extra step, yet this is still trivial. There's also notable
performance benefits to not taking the previous dividing approach, which
performed an exp.
2023-03-01 01:06:13 -05:00
Luke Parker
a42a84e1e8
3.6.7 Seal IetfTranscript 2023-03-01 00:42:01 -05:00
Luke Parker
5a3406bb5f
3.6.6 Further document nonces
This was already a largely documented file. While the terminology is
potentially ambiguous, there's not a clearer path perceived at this time.
2023-03-01 00:35:37 -05:00
Luke Parker
62b3036cbd
3.6.5 Document origin of vectors 2023-02-28 23:23:22 -05:00
Luke Parker
6a15b21949
3.6.4 Document inclusion of Ed448 HRAM vector 2023-02-28 23:14:59 -05:00
Luke Parker
39b3452da1
3.6.3 Check commitment encoding
Also extends tests of 3.6.2 and so on.
2023-02-28 21:57:18 -05:00
Luke Parker
7a05466049
3.6.2 Test nonce generation
There's two ways which this could be tested.

1) Preprocess not taking in an arbitrary RNG item, yet the relevant bytes

This would be an unsafe level of refactoring, in my opinion.

2) Test random_nonce and test the passed in RNG eventually ends up at
random_nonce.

This takes the latter route, both verifying random_nonce meets the vectors
and that the FROST machine calls random_nonce properly.
2023-02-28 21:02:12 -05:00
Luke Parker
c1435a2045
3.4.a Panic if generators.len() != scalars.len() for MultiDLEqProof 2023-02-28 00:00:29 -05:00
Luke Parker
969a5d94f2
3.6.1 Document rejection of zero nonces 2023-02-24 06:16:22 -05:00
Luke Parker
93f7afec8b
3.5.2 Add more tests to ff-group-tests
The audit recommends checking failure cases for from_bytes,
from_bytes_unechecked, and from_repr. This isn't feasible.

from_bytes is allowed to have non-canonical values. [0xff; 32] may accordingly
be a valid point for non-SEC1-encoded curves.

from_bytes_unchecked doesn't have a defined failure mode, and by name,
unchecked, shouldn't necessarily fail. The audit acknowledges the tests should
test for whatever result is 'appropriate', yet any result which isn't a failure
on a valid element is appropriate.

from_repr must be canonical, yet for a binary field of 2^n where n % 8 == 0, a
[0xff; n / 8] repr would be valid.
2023-02-24 06:03:56 -05:00
Luke Parker
32c18cac84
3.5.1 Document presence of k256/p256 2023-02-24 05:28:31 -05:00
Luke Parker
65376e93e5
3.4.3 Merge the nonce calculation from DLEqProof and MultiDLEqProof into a
single function

3.4.3 actually describes getting rid of DLEqProof for a thin wrapper around
MultiDLEqProof. That can't be done due to DLEqProof not requiring the std
features, enabling Vecs, which MultiDLEqProof relies on.

Merging the verification statement does simplify the code a bit. While merging
the proof could also be, it has much less value due to the simplicity of
proving (nonce * G, scalar * G).
2023-02-24 05:11:01 -05:00
Luke Parker
6104d606be
3.4.2 Document the DLEq lib 2023-02-24 04:37:20 -05:00
Luke Parker
1a6497f37a
3.3.5 Clarify GeneratorPromotion is only for generators, not curves 2023-02-23 07:21:47 -05:00
Luke Parker
4d6a0bbd7d
3.3.4 Use FROST context throughout Encryption 2023-02-23 07:19:55 -05:00
Luke Parker
2d56d24d9c
3.3.3 (cont) Add a dedicated Participant type 2023-02-23 06:50:45 -05:00
Luke Parker
87dea5e455
3.3.3 Add an assert if polynomial is called with 0
This will only be called with 0 if the code fails to do proper screening of its
arguments. If such a flaw is present, the DKG lib is critically broken (as this
function isn't public). If it was allowed to continue executing, it'd reveal
the secret share.
2023-02-23 04:56:05 -05:00
Luke Parker
8bee62609c
3.3.2 Use a static IV and clarify cipher documentation 2023-02-23 04:44:20 -05:00
Luke Parker
d72c4ca4f7
3.3.1 replace try_from with from 2023-02-23 04:29:38 -05:00
Luke Parker
d929a8d96e
3.2.2 Use a hash to point for random points in dfg 2023-02-23 04:29:17 -05:00
Luke Parker
74647b1b52
3.2.3 Don't yield identity in Group::random 2023-02-23 04:14:07 -05:00
Luke Parker
40a6672547
3.2.1, 3.2.4, 3.2.5. Documentation and tests 2023-02-23 04:05:47 -05:00
Luke Parker
686a5ee364
3.1.4 Further document hash_to_F which may collide 2023-02-23 01:09:22 -05:00
Luke Parker
cb4ce5e354
3.1.3 Use a checked_add for the modulus in secp256k1/P-256 2023-02-23 00:57:41 -05:00
Luke Parker
ac0f5e9b2d
3.1.2 Remove oversize DST handling for code present in elliptic-curve already
Adds a test to ensure that elliptic-curve does in fact handle this properly.
2023-02-23 00:52:13 -05:00
Luke Parker
18ac80671f
3.1.1 Document secp256k1/P-256 hash_to_F 2023-02-23 00:37:19 -05:00
Luke Parker
eeca440fa7
Offer a multi-DLEq proof which simply merges challenges for n underlying proofs
This converts proofs from 2n elements to 1+n.

Moves FROST over to it. Additionally, for FROST's binomial nonces, provides
a single DLEq proof (2, not 1+2 elements) by proving the discrete log equality
of their aggregate (with an appropriate binding factor). This may be split back
up depending on later commentary...
2023-01-01 09:16:09 -05:00
Luke Parker
49c4acffbb
Use a more efficient challenge function in the dleq
The prior one did 64 scalar additions for Ed25519. The new one does 8.
This was optimized by instead of parsing byte-by-byte, u64-by-u64.

Improves perf by ~10-15%.
2023-01-01 05:50:16 -05:00
Luke Parker
5599a052ad
Run latest nightly clippy
Also runs clippy on the tests and updates the CI accordingly
2023-01-01 04:18:23 -05:00
Luke Parker
bff5f33616
Correct GITHUB_TOKEN handling 2023-01-01 04:09:10 -05:00
Luke Parker
f10bcfddcb
Add repo token to arduino/setup-protoc to avoid rate limiting 2023-01-01 03:25:42 -05:00
Luke Parker
5b3c9bf5d0
DKG Blame (#196)
* Standardize the DLEq serialization function naming

They mismatched from the rest of the project.

This commit is technically incomplete as it doesn't update the dkg crate.

* Rewrite DKG encryption to enable per-message decryption without side effects

This isn't technically true as I already know a break in this which I'll
correct for shortly.

Does update documentation to explain the new scheme. Required for blame.

* Add a verifiable system for blame during the FROST DKG

Previously, if sent an invalid key share, the participant would realize that
and could accuse the sender. Without further evidence, either the accuser
or the accused could be guilty. Now, the accuser has a proof the accused is
in the wrong.

Reworks KeyMachine to return BlameMachine. This explicitly acknowledges how
locally complete keys still need group acknowledgement before the protocol
can be complete and provides a way for others to verify blame, even after a
locally successful run.

If any blame is cast, the protocol is no longer considered complete-able
(instead aborting). Further accusations of blame can still be handled however.

Updates documentation on network behavior.

Also starts to remove "OnDrop". We now use Zeroizing for anything which should
be zeroized on drop. This is a lot more piece-meal and reduces clones.

* Tweak Zeroizing and Debug impls

Expands Zeroizing to be more comprehensive.

Also updates Zeroizing<CachedPreprocess([u8; 32])> to
CachedPreprocess(Zeroizing<[u8; 32]>) so zeroizing is the first thing done
and last step before exposing the copy-able [u8; 32].

Removes private keys from Debug.

* Fix a bug where adversaries could claim to be using another user's encryption keys to learn their messages

Mentioned a few commits ago, now fixed.

This wouldn't have affected Serai, which aborts on failure, nor any DKG
currently supported. It's just about ensuring the DKG encryption is robust and
proper.

* Finish moving dleq from ser/deser to write/read

* Add tests for dkg blame

* Add a FROST test for invalid signature shares

* Batch verify encrypted messages' ephemeral keys' PoP
2023-01-01 01:54:18 -05:00
Luke Parker
3b4c600c60
Have transcripted versions specify their minor version pre-1.0 2022-12-27 00:49:31 -05:00
Luke Parker
bacf31378d
Add test vectors for Ciphersuite::hash_to_F 2022-12-25 02:50:10 -05:00
Luke Parker
da8e7e73e0
Re-organize testing strategy and document Ciphersuite::hash_to_F. 2022-12-24 17:08:22 -05:00
Luke Parker
35a4f5bf9f
Use count instead of iter.map(|_| 1).sum
Also replaces the expectation the miner TX was first with a check for
Input::Gen.
2022-12-24 15:17:49 -05:00
Luke Parker
445bb3786e
Add a dedicated crate for testing ff/group implementors
Provides extensive testing for dalek-ff-group and ed448.

Also includes a fix for an observed bug in ed448.
2022-12-24 15:09:09 -05:00
Luke Parker
6e518f5c22
cargo update due to yanked openssl crate 2022-12-20 23:12:26 -05:00
Luke Parker
e6bf3a4758
Remove stray mention to USDC 2022-12-15 20:35:06 -05:00