Commit graph

54 commits

Author SHA1 Message Date
Luke Parker
93b1656f86
Meaningful changes from aggressive-clippy
I do want to enable a few specific lints, yet aggressive-clippy as a whole
isn't worthwhile.
2023-07-08 11:29:07 -04:00
Luke Parker
c6982b5dfc
Ensure canonical points in the cross-group DLEq proof 2023-05-30 22:05:52 -04:00
Luke Parker
47be373eb0
Resolve #268 by adding a Zeroize to DigestTranscript which writes a full block
This is a 'better-than-nothing' attempt to invalidate its state.

Also replaces black_box features with usage of the rustversion crate.
2023-03-28 04:43:10 -04:00
Luke Parker
79aff5d4c8
ff 0.13 (#269)
* Partial move to ff 0.13

It turns out the newly released k256 0.12 isn't on ff 0.13, preventing further
work at this time.

* Update all crates to work on ff 0.13

The provided curves still need to be expanded to fit the new API.

* Finish adding dalek-ff-group ff 0.13 constants

* Correct FieldElement::product definition

Also stops exporting macros.

* Test most new parts of ff 0.13

* Additionally test ff-group-tests with BLS12-381 and the pasta curves

We only tested curves from RustCrypto. Now we test a curve offered by zk-crypto,
the group behind ff/group, and the pasta curves, which is by Zcash (though
Zcash developers are also behind zk-crypto).

* Finish Ed448

Fully specifies all constants, passes all tests in ff-group-tests, and finishes moving to ff-0.13.

* Add RustCrypto/elliptic-curves to allowed git repos

Needed due to k256/p256 incorrectly defining product.

* Finish writing ff 0.13 tests

* Add additional comments to dalek

* Further comments

* Update ethereum-serai to ff 0.13
2023-03-28 04:38:01 -04:00
Luke Parker
8d4d630e0f
Fully document crypto/ 2023-03-20 20:10:00 -04:00
Luke Parker
ad470bc969
\#242 Expand usage of black_box/zeroize
This commit greatly expands the usage of black_box/zeroize on bits, as it
originally should have. It is likely overkill, leading to less efficient
code generation, yet does its best to be comprehensive where comprehensiveness
is extremely annoying to achieve.

In the future, this usage of black_box may be desirable to move to its own
crate.

Credit to @AaronFeickert for identifying the original commit was incomplete.
2023-03-10 06:27:44 -05:00
Luke Parker
1e201562df
Correct doc comments re: HTML tags 2023-03-07 05:34:29 -05:00
Luke Parker
c1435a2045
3.4.a Panic if generators.len() != scalars.len() for MultiDLEqProof 2023-02-28 00:00:29 -05:00
Luke Parker
65376e93e5
3.4.3 Merge the nonce calculation from DLEqProof and MultiDLEqProof into a
single function

3.4.3 actually describes getting rid of DLEqProof for a thin wrapper around
MultiDLEqProof. That can't be done due to DLEqProof not requiring the std
features, enabling Vecs, which MultiDLEqProof relies on.

Merging the verification statement does simplify the code a bit. While merging
the proof could also be, it has much less value due to the simplicity of
proving (nonce * G, scalar * G).
2023-02-24 05:11:01 -05:00
Luke Parker
6104d606be
3.4.2 Document the DLEq lib 2023-02-24 04:37:20 -05:00
Luke Parker
eeca440fa7
Offer a multi-DLEq proof which simply merges challenges for n underlying proofs
This converts proofs from 2n elements to 1+n.

Moves FROST over to it. Additionally, for FROST's binomial nonces, provides
a single DLEq proof (2, not 1+2 elements) by proving the discrete log equality
of their aggregate (with an appropriate binding factor). This may be split back
up depending on later commentary...
2023-01-01 09:16:09 -05:00
Luke Parker
49c4acffbb
Use a more efficient challenge function in the dleq
The prior one did 64 scalar additions for Ed25519. The new one does 8.
This was optimized by instead of parsing byte-by-byte, u64-by-u64.

Improves perf by ~10-15%.
2023-01-01 05:50:16 -05:00
Luke Parker
5599a052ad
Run latest nightly clippy
Also runs clippy on the tests and updates the CI accordingly
2023-01-01 04:18:23 -05:00
Luke Parker
5b3c9bf5d0
DKG Blame (#196)
* Standardize the DLEq serialization function naming

They mismatched from the rest of the project.

This commit is technically incomplete as it doesn't update the dkg crate.

* Rewrite DKG encryption to enable per-message decryption without side effects

This isn't technically true as I already know a break in this which I'll
correct for shortly.

Does update documentation to explain the new scheme. Required for blame.

* Add a verifiable system for blame during the FROST DKG

Previously, if sent an invalid key share, the participant would realize that
and could accuse the sender. Without further evidence, either the accuser
or the accused could be guilty. Now, the accuser has a proof the accused is
in the wrong.

Reworks KeyMachine to return BlameMachine. This explicitly acknowledges how
locally complete keys still need group acknowledgement before the protocol
can be complete and provides a way for others to verify blame, even after a
locally successful run.

If any blame is cast, the protocol is no longer considered complete-able
(instead aborting). Further accusations of blame can still be handled however.

Updates documentation on network behavior.

Also starts to remove "OnDrop". We now use Zeroizing for anything which should
be zeroized on drop. This is a lot more piece-meal and reduces clones.

* Tweak Zeroizing and Debug impls

Expands Zeroizing to be more comprehensive.

Also updates Zeroizing<CachedPreprocess([u8; 32])> to
CachedPreprocess(Zeroizing<[u8; 32]>) so zeroizing is the first thing done
and last step before exposing the copy-able [u8; 32].

Removes private keys from Debug.

* Fix a bug where adversaries could claim to be using another user's encryption keys to learn their messages

Mentioned a few commits ago, now fixed.

This wouldn't have affected Serai, which aborts on failure, nor any DKG
currently supported. It's just about ensuring the DKG encryption is robust and
proper.

* Finish moving dleq from ser/deser to write/read

* Add tests for dkg blame

* Add a FROST test for invalid signature shares

* Batch verify encrypted messages' ephemeral keys' PoP
2023-01-01 01:54:18 -05:00
Luke Parker
da8e7e73e0
Re-organize testing strategy and document Ciphersuite::hash_to_F. 2022-12-24 17:08:22 -05:00
Luke Parker
0ca52a36ee
Restore type complexity checks in CI
Passes due to the remaining type complexity cases being explicitly allowed.
2022-12-01 17:50:52 -05:00
Luke Parker
84de427d72
Fix https://github.com/serai-dex/serai/issues/150 2022-11-10 22:35:09 -05:00
Luke Parker
8de465af87
Have Transcript::append_message take in AsRef<[u8]>, not &[u8]
Simplifies calling it.
2022-11-05 18:43:36 -04:00
Luke Parker
cbceaff678
Create dedicated message structures for FROST messages (#140)
* Create message types for FROST key gen

Taking in reader borrows absolutely wasn't feasible. Now, proper types
which can be read (and then passed directly, without a mutable borrow)
exist for key_gen. sign coming next.

* Move FROST signing to messages, not Readers/Writers/Vec<u8>

Also takes the nonce handling code and makes a dedicated file for it, 
aiming to resolve complex types and make the code more legible by 
replacing its previously inlined state.

* clippy

* Update FROST tests

* read_signature_share

* Update the Monero library to the new FROST packages

* Update processor to latest FROST

* Tweaks to terminology and documentation
2022-10-25 23:17:25 -05:00
Luke Parker
8d9315b797
Use HashMarker for Transcript and when generating scalars from digests 2022-09-29 05:33:46 -04:00
Luke Parker
ca091a5f04
Expand and correct documentation 2022-09-29 05:25:29 -04:00
Luke Parker
19cd609cba
Use doc_auto_cfg 2022-09-29 04:47:55 -04:00
Luke Parker
b2f6c23e2f
clippy --all-features 2022-09-17 06:07:49 -04:00
Luke Parker
65c20638ce
fmt/clippy 2022-09-17 04:35:08 -04:00
Luke Parker
c5256d9b06
Use ChaCha20 instead of ChaCha12
Despite being slower and only used for blinding values, its still 
extremely performant. 20 is far more standard and will avoid an eye 
raise from reviewers.
2022-08-30 20:01:46 -04:00
Luke Parker
75c3cdc5af
Comment the previous commit
Despite the intentions of https://github.com/serai-dex/serai/issues/85, 
it failed to be practically faster :/

Updates a DLEq test to be better as well.
2022-08-13 19:43:18 -04:00
Luke Parker
454b73aec3
Add FROST key promotion
Closes https://github.com/serai-dex/serai/issues/72.

Adds a trait, with a commented impl for a semi-unsafe niche feature, 
which will be used in https://github.com/serai-dex/serai/issues/73.
2022-08-13 08:50:59 -04:00
Luke Parker
a423c23c1e
Use zeroize instead of 0-sets 2022-08-12 01:14:13 -04:00
Luke Parker
797be71eb3
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs

Also makes bit decomposition constant time for a given amount of 
outputs.

* Fix nonce reuse for single-signer CLSAG

* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data

* Zeroize private keys and nonces

* Merge prepare_outputs and prepare_transactions

* Ensure CLSAG is constant time

* Pass by borrow where needed, bug fixes

The past few commitments have been one in-progress chunk which I've 
broken up as best read.

* Add Zeroize to FROST structs

Still needs to zeroize internally, yet next step. Not quite as 
aggressive as Monero, partially due to the limitations of HashMaps, 
partially due to less concern about metadata, yet does still delete a 
few smaller items of metadata (group key, context string...).

* Remove Zeroize from most Monero multisig structs

These structs largely didn't have private data, just fields with private 
data, yet those fields implemented ZeroizeOnDrop making them already 
covered. While there is still traces of the transaction left in RAM, 
fully purging that was never the intent.

* Use Zeroize within dleq

bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.

* Use Zeroize for random_nonce

It isn't perfect, due to the inability to zeroize the digest, and due to 
kp256 requiring a few transformations. It does the best it can though.

Does move the per-curve random_nonce to a provided one, which is allowed 
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.

* Use Zeroize on FROST keygen/signing

* Zeroize constant time multiexp.

* Correct when FROST keygen zeroizes

* Move the FROST keys Arc into FrostKeys

Reduces amount of instances in memory.

* Manually implement Debug for FrostCore to not leak the secret share

* Misc bug fixes

* clippy + multiexp test bug fixes

* Correct FROST key gen share summation

It leaked our own share for ourself.

* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
Luke Parker
76a7160ea5
Correct clippy warnings
Currently intended to be done with:
cargo clippy --features "recommended merlin batch serialize experimental 
ed25519 ristretto p256 secp256k1 multisig" -- -A clippy::type_complexity 
-A dead_code
2022-07-22 02:35:17 -04:00
Luke Parker
e67033a207 Apply an initial set of rustfmt rules 2022-07-16 15:16:30 -05:00
Luke Parker
5ede5b9e8f
Update the DLEq proof for any amount of generators
The two-generator limit wasn't required nor beneficial. This does 
theoretically optimize FROST, yet not for any current constructions. A 
follow up proof which would optimize current constructions has been 
noted in #38.

Adds explicit no_std support to the core DLEq proof.

Closes #34.
2022-07-13 23:29:48 -04:00
Luke Parker
d81f6270c7
Version bump and synchronize packages
Uses "dleq-serai", instead of "dleq", as the dleq crate name hasn't been 
transferred yet :(
2022-07-12 03:38:59 -04:00
Luke Parker
5942492519
Support transcripts with 32-byte challenges in the DLEq crate 2022-07-09 00:38:30 -04:00
Luke Parker
b69337a3a6
Tweak DLEq README and rename the experimental_cross_group feature to just experimental 2022-07-07 09:52:10 -04:00
Luke Parker
72afcf1f06 Mark cross_group as experimental
While all of Serai can be argued as experimental, the DLEq proof is 
especially so, as it's lacking any formal proofs over its theory.

Also adds doc(hidden) to the generic DLEqProof, now prefixed with __.
2022-07-07 08:36:23 -05:00
Luke Parker
4dbf50243b Fix serialization
This enabled getting the proof sizes, which are:
- ConciseLinear had a proof size of 44607 bytes
- CompromiseLinear had a proof size of 48765 bytes
- ClassicLinear had a proof size of 56829 bytes
- EfficientLinear had a proof size of 65145 byte
2022-07-07 08:36:23 -05:00
Luke Parker
c3a0e0375d Save an inversion on AOS verification
Incredibly minor, just nagged me
2022-07-07 08:36:23 -05:00
Luke Parker
44e0a41ca1 Add Classic/Compromise DLEqs and a benchmark
Formatted results from my laptop:

EfficientLinear had a average prove time of 188ms
EfficientLinear had a average verify time of 126ms

CompromiseLinear had a average prove time of 176ms
CompromiseLinear had a average verify time of 141ms

ConciseLinear had a average prove time of 191ms
ConciseLinear had a average verify time of 160ms

ClassicLinear had a average prove time of 214ms
ClassicLinear had a average verify time of 159ms

There is a decent error margin here. Concise is a drop-in replacement 
for Classic, in practice *not* theory. Efficient is optimal for 
performance, yet largest. Compromise is a middleground.
2022-07-07 08:36:23 -05:00
Luke Parker
1a2e6dc5cf Consolidate concise/efficient and clean 2022-07-07 08:36:23 -05:00
Luke Parker
9f8d1aa220 Clean AOS signatures 2022-07-07 08:36:23 -05:00
Luke Parker
26cee46950 Add a batch verified DLEq
The batch verified one offers ~23% faster verification. While this 
massively refactors for modularity, I'm still not happy with the DLEq 
proofs at the top level, nor am I happy with the AOS signatures. I'll 
work on cleaning them up more later.
2022-07-07 08:36:23 -05:00
Luke Parker
0ff5ee8292
Correct e_0 to actually be e_0 2022-07-05 15:14:04 -04:00
Luke Parker
2ac5ea651c
Use a ring per 2 bits instead of per bit
Reduces proof size by 21.5% without notable computational complexity 
changes. I wouldn't be surprised if it has minor ones, yet I can't 
comment in which way they go without further review.

Bit now verifies it can successfully complete the ring under debug, 
slightly increasing debug times.
2022-07-05 15:01:33 -04:00
Luke Parker
d17c9587b5
Fix mutual_scalar_from_bytes
It didn't properly grab bits, nor did it double as needed.
2022-07-05 08:10:16 -04:00
Luke Parker
bfe34ea6f8
Make the cross-group DLEq bit components pow 2, not the commitments as a whole
Few percent faster. Enables accumulating the current bit's point 
representation, whereas the blinding keys can't be accumulated. Also 
theoretically enables pre-computation of the bit points, removing 
hundreds of additions from the proof. When tested, this was less 
performant, possibly due to cache/heap allocation.
2022-07-05 05:18:12 -04:00
Luke Parker
daadb43875
Minor doc updates 2022-07-02 11:04:01 -04:00
Luke Parker
ed569ea9c8
Make multiexp an optional, yet default, feature for DLEq 2022-07-02 02:48:27 -04:00
Luke Parker
2e35854215
Rewrite the cross-group DLEq API to not allow proving for biased scalars 2022-07-02 02:46:40 -04:00
Luke Parker
7e058f1c08
Remove cross-group DLEq challenge bias as possible 2022-07-02 02:45:26 -04:00