Commit graph

180 commits

Author SHA1 Message Date
Luke Parker
a0a54eb0de
Update to FROST v11
Ensures random functions never return zero. This, combined with a check 
commitments aren't 0, causes no serialized elements to be 0.

Also directly reads their vectors.
2022-10-13 00:38:36 -04:00
Luke Parker
482a8ec209
Update to the latest Serai Substrate (#125)
* Update to the latest Serai Substrate

* Add Protobuf to build dependencies

Docker shouldn't need updating as this should've been added to the image 
in 
2dbace5b01.

* Get substrate to build

* Correct protoc build step

* Remove the benchmarking code

There's some macro resolution error that isn't apparent. I worked on it 
for about half an hour but...

* Remove unnecessary clone

* Correct runtime-benchmarks flag usage
2022-09-29 13:33:09 -05:00
Luke Parker
503ae02cae
Version bump monero-generators to consolidate a dependency 2022-09-29 10:36:40 -04:00
Luke Parker
695f7ec5f9
Version bump Monero for documentation purposes 2022-09-29 10:35:11 -04:00
Luke Parker
8da0743361
Use sha3 in monero-generators 2022-09-29 08:08:49 -04:00
Luke Parker
2b7c9378c0
Update to FROST v10
Further expands documentation to near-completion.
2022-09-29 07:08:20 -04:00
Luke Parker
8b0f0a3713
Publish an alpha version of the Monero crate (#123)
* Label the version as an alpha

* Add versions to Cargo.tomls

* Update to Zeroize 1.5

* Drop patch versions from monero-serai Cargo.toml

* Add a repository field

* Move generators to OUT_DIR

IIRC, I didn't do this originally as it constantly re-generated them. 
Unfortunately, since cargo is complaining about .generators, we have to.

* Remove Timelock::fee_weight

Transaction::fee_weight's has a comment, "Assumes Timelock::None since 
this library won't let you create a TX with a timelock". Accordingly, 
this is dead code.
2022-09-29 01:24:33 -05:00
Luke Parker
49749d96a0
Replace tiny_keccak with sha3 in Monero 2022-09-28 09:29:58 -04:00
Luke Parker
5a4eb0a076
cargo update
Removes the potential applicability of CVE-2021-3520.
2022-09-18 15:30:38 -04:00
Luke Parker
d6a31863c4
Version bump dalek-ff-group 2022-08-29 03:46:48 -04:00
Luke Parker
081b9a1975
FROST Ed448 (#107)
* Theoretical ed448 impl

* Fixes

* Basic tests

* More efficient scalarmul

Precomputes a table to minimize additions required.

* Add a torsion test

* Split into a constant and variable time backend

The variable time one is still far too slow, at 53s for the tests (~5s a 
scalarmul). It should be usable as a PoC though.

* Rename unsafe Ed448

It's not only unworthy of the Serai branding and deserves more clarity
in the name.

* Add wide reduction to ed448

* Add Zeroize to Ed448

* Rename Ed448 group.rs to point.rs

* Minor lint to FROST

* Ed448 ciphersuite with 8032 test vector

* Macro out the backend fields

* Slight efficiency improvement to point decompression

* Disable the multiexp test in FROST for Ed448

* fmt + clippy ed448

* Fix an infinite loop in the constant time ed448 backend

* Add b"chal" to the 8032 context string for Ed448

Successfully tests against proposed vectors for the FROST IETF draft.

* Fix fmt and clippy

* Use a tabled pow algorithm in ed448's const backend

* Slight tweaks to variable time backend

Stop from_repr(MODULUS) from passing.

* Use extended points

Almost two orders of magnitude faster.

* Efficient ed448 doubling

* Remove the variable time backend

With the recent performance improvements, the constant time backend is 
now 4x faster than the variable time backend was. While the variable 
time backend remains much faster, and the constant time backend is still 
slow compared to other libraries, it's sufficiently performant now.

The FROST test, which runs a series of multiexps over the curve, does 
take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s.

While 50x slower than secp256k1 is horrible, it's ~1.5 orders of 
magntiude, which is close enough to the desire stated in 
https://github.com/serai-dex/serai/issues/108 to meet it.

Largely makes this library safe to use.

* Correct constants in ed448

* Rename unsafe-ed448 to minimal-ed448

Enables all FROST tests against it.

* No longer require the hazmat feature to use ed448

* Remove extraneous as_refs
2022-08-29 02:32:59 -05:00
Luke Parker
33ee6b7a02
Bump FROST version 2022-08-26 09:09:18 -04:00
Luke Parker
c5beee5648
Fix #48
Removes monero, yet we still use monero-rs's base58 and epee libraries.
2022-08-21 08:41:19 -04:00
Luke Parker
603a3f8c9f
Generate Bulletproofs(+) generators at compile time
Creates a new monero-generators crate so the monero crate can run the 
code in question at build time.

Saves several seconds from running the tests.

Closes https://github.com/serai-dex/serai/issues/101.
2022-08-21 06:36:53 -04:00
Luke Parker
c53e7ad6c7
Bump dalek-ff-group version 2022-08-18 17:11:55 -04:00
Luke Parker
f809827acd
cargo update
Fixes https://github.com/serai-dex/serai/issues/82.
2022-08-16 03:44:32 -04:00
Luke Parker
797be71eb3
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs

Also makes bit decomposition constant time for a given amount of 
outputs.

* Fix nonce reuse for single-signer CLSAG

* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data

* Zeroize private keys and nonces

* Merge prepare_outputs and prepare_transactions

* Ensure CLSAG is constant time

* Pass by borrow where needed, bug fixes

The past few commitments have been one in-progress chunk which I've 
broken up as best read.

* Add Zeroize to FROST structs

Still needs to zeroize internally, yet next step. Not quite as 
aggressive as Monero, partially due to the limitations of HashMaps, 
partially due to less concern about metadata, yet does still delete a 
few smaller items of metadata (group key, context string...).

* Remove Zeroize from most Monero multisig structs

These structs largely didn't have private data, just fields with private 
data, yet those fields implemented ZeroizeOnDrop making them already 
covered. While there is still traces of the transaction left in RAM, 
fully purging that was never the intent.

* Use Zeroize within dleq

bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.

* Use Zeroize for random_nonce

It isn't perfect, due to the inability to zeroize the digest, and due to 
kp256 requiring a few transformations. It does the best it can though.

Does move the per-curve random_nonce to a provided one, which is allowed 
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.

* Use Zeroize on FROST keygen/signing

* Zeroize constant time multiexp.

* Correct when FROST keygen zeroizes

* Move the FROST keys Arc into FrostKeys

Reduces amount of instances in memory.

* Manually implement Debug for FrostCore to not leak the secret share

* Misc bug fixes

* clippy + multiexp test bug fixes

* Correct FROST key gen share summation

It leaked our own share for ourself.

* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
Luke Parker
8f76e67f57
Rename dleq-serai to dleq 2022-07-30 18:35:39 -04:00
Luke Parker
755dc84859
Replace rand with rand_core where possible
Turns out rand_core offers OsRng.
2022-07-27 05:45:08 -04:00
Luke Parker
696da8228e
Remove Monero as a dependency
Introduces missing CLSAG checks. The only difference now should be the 
additional rejection of torsioned points, which is relevant to 
https://github.com/serai-dex/serai/issues/25. Considering this is only 
currently used for FROST verification, this should be fine.

Closes https://github.com/serai-dex/serai/issues/19 by making it 
irrelevant.

Increases priority of https://github.com/serai-dex/serai/issues/68, as 
now it's used for the BP generators which are done at first-proof.

Also merges BP's stricter hash_to_point with the library's, since CLSAG 
has the same bound.
2022-07-26 03:25:57 -04:00
Luke Parker
ee29f6d6d8
Implement Bulletproofs in Rust (#69)
* Initial attempt at Bulletproofs

I don't know why this doesn't work. The generators and hash_cache lines
up without issue. AFAICT, the inner product proof is valid as well, as
are all included formulas.

* Add yinvpow asserts

* Clean code

* Correct bad imports

* Fix the definition of TWO_N

Bulletproofs work now :D

* Tidy up a bit

* fmt + clippy

* Compile a variety of XMR dependencies with optimizations, even under dev

The Rust bulletproof implementation is 8% slower than C right now, under 
release. This is acceptable, even if suboptimal. Under debug, they take 
a quarter of a second to two seconds though, depending on the amount of 
outputs, which justifies this move.

* Remove unnecessary deref in BPs
2022-07-26 02:05:15 -05:00
Luke Parker
b80c1bec4c
Update dependencies
ethers previously used a git spec due to depending on not-yet-published 
updates. Now that they've been released, a properly published version is 
used.
2022-07-22 12:36:30 -04:00
Luke Parker
895fbae2dc Add a full success route test for the multisig contract 2022-07-21 23:30:51 -05:00
Luke Parker
aa0d364fc2 First passing multisig vote test 2022-07-21 23:30:51 -05:00
Luke Parker
43c4487804 Create a dedicated crate for the extension 2022-07-21 23:30:51 -05:00
Luke Parker
5583bf3447 Initial multisig tracking contract in ink 2022-07-21 23:30:51 -05:00
Luke Parker
9cb2d8aa4a
Integrate ink! 2022-07-16 21:06:54 -04:00
Luke Parker
2bddce2087
Add a patch for zip so ethereum-serai doesn't conflict with Substrate
Also commits the lock file and updates documentation.
2022-07-16 17:49:35 -04:00
Luke Parker
e22dcb1441
Update FROST signing to match the IETF draft
Modernizes dependencies
2022-04-23 03:49:30 -04:00
Luke Parker
6101f81d0a
Initial commit
Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into 
a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was 
going to be stubbed out into a new folder for now) with an offset system 
that voids its need and allows stealth addresses with CLSAG.
2022-04-21 21:36:18 -04:00