Luke Parker
62dfc63532
Fix Ethereum, again
2023-03-07 06:25:21 -05:00
Luke Parker
1e201562df
Correct doc comments re: HTML tags
2023-03-07 05:34:29 -05:00
Luke Parker
11114dcb74
Further fix the clippy lint controls for Hash on dalek_ff_group::*Point
2023-03-07 05:31:02 -05:00
Luke Parker
837c776297
Make Schnorr modular to its transcript
2023-03-07 05:30:21 -05:00
Luke Parker
6bff3866ea
Correct Ethereum
2023-03-07 05:25:25 -05:00
Luke Parker
b0730e3fdf
Fix last commit again
2023-03-07 04:47:06 -05:00
Luke Parker
2e78d61752
Fix last commit
2023-03-07 04:39:15 -05:00
Luke Parker
0b8a4ab3d0
Use a backwards compatible clippy lint for impl Hash
2023-03-07 04:26:19 -05:00
Luke Parker
c358090f16
Use black_box to help obscure the dalek-ff-group bool -> Choice conversion
...
I have no idea if this will actually help, yet it can't hurt.
Feature gated due to MSRV requirements.
Fixes #242 .
2023-03-07 04:23:41 -05:00
Luke Parker
adb5f34fda
Merge branch 'crypto-audit' into crypto-tweaks
2023-03-07 04:08:34 -05:00
Luke Parker
ed056cceaf
3.5.2 Test non-canonical from_repr
...
Unfortunately, G::from_bytes doesn't require canonicity so that still can't
be properly tested for. While we could try to detect SEC1, and write tests
on that, there's not a suitably stable/wide enough solution to be worth it.
2023-03-07 04:05:56 -05:00
Luke Parker
2bad06e5d9
Fix #200
2023-03-07 03:55:58 -05:00
Luke Parker
5a9a42f025
Use variable time for verifying PoKs in the DKG
2023-03-07 03:48:16 -05:00
Luke Parker
7d12c785b7
Correct error comment in ff-group-tests
2023-03-07 03:46:55 -05:00
Luke Parker
e08adcc1ac
Have Ciphersuite re-export Group
2023-03-07 03:46:16 -05:00
Luke Parker
af5702fccd
Make encryption public
...
It's necessary in order to read encryption messages over the network.
2023-03-07 03:37:30 -05:00
Luke Parker
5037962d3c
Rename dkg serialize/deserialize to write/read
2023-03-07 03:37:25 -05:00
Luke Parker
5b26115f81
Add Debug implementations to dkg
2023-03-07 03:26:39 -05:00
Luke Parker
1a99629a4a
Add feature-gated serde support for Participant/ThresholdParams
...
These don't have secret data yet sometimes have value to be communicated.
2023-03-07 03:13:55 -05:00
Luke Parker
b1ea2dfba6
Add support for hashing (as in HashMap) dalek points
2023-03-07 03:10:55 -05:00
Luke Parker
0e8c55e050
Update and remove unused dependencies
2023-03-07 03:06:46 -05:00
Luke Parker
d36fc026dd
Remove unused generic in frost
2023-03-07 02:40:09 -05:00
Luke Parker
0bbf511062
Add 'static/Send/Sync to specific traits in crypto
...
These were proven necessary by our real world usage.
2023-03-07 02:38:47 -05:00
Luke Parker
2729882d65
Update to {k, p}256 0.12
2023-03-07 02:34:10 -05:00
Luke Parker
c37cc0b4e2
Update Zeroize pin to ^1.5 from 1.5
2023-03-07 02:29:59 -05:00
Luke Parker
a053454ae4
3.9.4 Add tests to the transcript crate
2023-03-07 02:25:10 -05:00
Luke Parker
20a33079f8
3.9.3 Document Merlin domain_separate conflict potential and add an asert
2023-03-06 20:16:57 -05:00
Luke Parker
8307d4f6c8
cargo fmt
2023-03-06 08:23:14 -05:00
Luke Parker
db1fefe7c1
Update tendermint/node to latest substrate
2023-03-06 08:20:01 -05:00
Luke Parker
4a81640ab8
Update runtime to latest substrate
2023-03-06 08:14:22 -05:00
Luke Parker
943438628d
cargo update
2023-03-06 07:39:43 -05:00
Luke Parker
7efedb9a91
3.9.1 Also correct invalid doc comment
2023-03-06 07:16:04 -05:00
Luke Parker
79124b9a33
3.9.2 Better document rng_seed is allowed to conflict with challenge
2023-03-02 11:19:26 -05:00
Luke Parker
6fec95b1a7
3.7.2 Remove code randomizing which side odd elements end up on
...
This could still be gamed. For [1, 2, 3], the options were ([1], [2, 3]) or
([1, 2], [3]). This means 2 would always have the maximum round count, and
thus this is still game-able. There's no point to keeping its complexity
accordingly when the algorithm is as efficient as it is.
While a proper random could be used to satisfy 3.7.2, it'd break the
expected determinism.
2023-03-02 11:16:00 -05:00
Luke Parker
2f4f1de488
3.9.1 Fix SecureDigest trait bound
2023-03-02 10:57:22 -05:00
Luke Parker
97374a3e24
3.8.6 Correct transcript to scalar derivation
...
Replaces the externally passed in Digest with C::H since C is available.
2023-03-02 10:04:18 -05:00
Luke Parker
530671795a
3.8.5 Let the caller pass in a DST for the aggregation hash function
...
Also moves the aggregator over to Digest. While a bit verbose for this context,
as all appended items were fixed length, it's length prefixing is solid and
the API is pleasant. The downside is the additional dependency which is
in tree and quite compact.
2023-03-02 09:29:37 -05:00
Luke Parker
8b7e7b1a1c
3.8.4 Don't additionally transcript keys with challenges
2023-03-02 09:14:36 -05:00
Luke Parker
053f07a281
3.8.3 Document challenge requirements
2023-03-02 09:08:53 -05:00
Luke Parker
08f9287107
3.8.2 Add Ed25519 RFC 8032 test vectors
2023-03-02 09:06:03 -05:00
Luke Parker
35043d2889
3.8.1 Document RFC 8032 compatibility
2023-03-02 08:45:09 -05:00
Luke Parker
1d2ebdca62
3.7.6, 3.7.7 Optimize multiexp implementations
2023-03-02 06:12:02 -05:00
Luke Parker
e5329b42e6
3.7.5 Further document multiexp functions
2023-03-02 05:49:45 -05:00
Luke Parker
8144956f8a
Further document get_unlocked_outputs
2023-03-02 05:31:22 -05:00
Luke Parker
408494f8de
3.7.4 Always zeroize multiexp data
...
This was handled as part of handling 3.7.1
2023-03-02 03:59:49 -05:00
Luke Parker
8661111fc6
3.7.3 Add multiexp tests
2023-03-02 03:58:48 -05:00
Luke Parker
93d5f41917
3.7.2 Randomize which side odd elements end up on during blame
2023-03-02 01:55:08 -05:00
Luke Parker
15d6be1678
3.7.1 Deduplicate flattening/zeroize code
...
While the prior intent was to avoid zeroizing for vartime verification, which
is assumed to not have any private data, this simplifies the code and promotes
safety.
2023-03-02 01:13:07 -05:00
Luke Parker
2fd5cd8161
3.6.9 Add several tests to the FROST library
...
Offset signing is now tested. Multi-nonce algorithms are now tested.
Multi-generator nonce algorithms are now tested. More fault cases are now tested
as well.
2023-03-01 08:02:45 -05:00
Luke Parker
c6284b85a4
3.6.8 Simplify offset splitting
...
This wasn't done prior to be 'leaderless', as now the participant with the
lowest ID has an extra step, yet this is still trivial. There's also notable
performance benefits to not taking the previous dividing approach, which
performed an exp.
2023-03-01 01:06:13 -05:00