2022-07-05 19:10:30 -04:00
|
|
|
use rand_core::{RngCore, CryptoRng};
|
|
|
|
|
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
use zeroize::Zeroize;
|
|
|
|
|
|
2022-07-05 19:10:30 -04:00
|
|
|
use transcript::Transcript;
|
|
|
|
|
|
2022-07-15 01:26:07 -04:00
|
|
|
use group::{
|
|
|
|
|
ff::{Field, PrimeFieldBits},
|
|
|
|
|
prime::PrimeGroup,
|
|
|
|
|
};
|
2022-07-05 19:10:30 -04:00
|
|
|
|
|
|
|
|
use multiexp::BatchVerifier;
|
|
|
|
|
|
2022-07-13 23:29:48 -04:00
|
|
|
use crate::cross_group::{
|
2022-07-15 01:26:07 -04:00
|
|
|
Generators, DLEqError,
|
|
|
|
|
scalar::{scalar_convert, mutual_scalar_from_bytes},
|
2022-07-05 19:10:30 -04:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
#[cfg(feature = "serialize")]
|
|
|
|
|
use std::io::{Read, Write};
|
|
|
|
|
#[cfg(feature = "serialize")]
|
|
|
|
|
use ff::PrimeField;
|
|
|
|
|
#[cfg(feature = "serialize")]
|
|
|
|
|
use crate::{read_scalar, cross_group::read_point};
|
|
|
|
|
|
2022-07-07 00:26:34 -04:00
|
|
|
#[allow(non_camel_case_types)]
|
|
|
|
|
#[derive(Clone, PartialEq, Eq, Debug)]
|
|
|
|
|
pub(crate) enum Re<G0: PrimeGroup, G1: PrimeGroup> {
|
|
|
|
|
R(G0, G1),
|
|
|
|
|
// Merged challenges have a slight security reduction, yet one already applied to the scalar
|
|
|
|
|
// being proven for, and this saves ~8kb. Alternatively, challenges could be redefined as a seed,
|
|
|
|
|
// present here, which is then hashed for each of the two challenges, remaining unbiased/unique
|
|
|
|
|
// while maintaining the bandwidth savings, yet also while adding 252 hashes for
|
|
|
|
|
// Secp256k1/Ed25519
|
2022-07-15 01:26:07 -04:00
|
|
|
e(G0::Scalar),
|
2022-07-05 19:10:30 -04:00
|
|
|
}
|
|
|
|
|
|
2022-07-07 00:26:34 -04:00
|
|
|
impl<G0: PrimeGroup, G1: PrimeGroup> Re<G0, G1> {
|
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
pub(crate) fn R_default() -> Re<G0, G1> {
|
|
|
|
|
Re::R(G0::identity(), G1::identity())
|
|
|
|
|
}
|
2022-07-05 19:10:30 -04:00
|
|
|
|
2022-07-07 00:26:34 -04:00
|
|
|
pub(crate) fn e_default() -> Re<G0, G1> {
|
2023-03-28 04:38:01 -04:00
|
|
|
Re::e(G0::Scalar::ZERO)
|
2022-07-07 00:26:34 -04:00
|
|
|
}
|
2022-07-05 19:10:30 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
#[derive(Clone, PartialEq, Eq, Debug)]
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
pub(crate) struct Aos<G0: PrimeGroup + Zeroize, G1: PrimeGroup + Zeroize, const RING_LEN: usize> {
|
2022-07-07 00:26:34 -04:00
|
|
|
Re_0: Re<G0, G1>,
|
2022-07-15 01:26:07 -04:00
|
|
|
s: [(G0::Scalar, G1::Scalar); RING_LEN],
|
2022-07-05 19:10:30 -04:00
|
|
|
}
|
|
|
|
|
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
impl<G0: PrimeGroup + Zeroize, G1: PrimeGroup + Zeroize, const RING_LEN: usize>
|
|
|
|
|
Aos<G0, G1, RING_LEN>
|
2022-07-15 01:26:07 -04:00
|
|
|
where
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
G0::Scalar: PrimeFieldBits + Zeroize,
|
|
|
|
|
G1::Scalar: PrimeFieldBits + Zeroize,
|
2022-07-15 01:26:07 -04:00
|
|
|
{
|
2022-07-07 00:26:34 -04:00
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
fn nonces<T: Transcript>(mut transcript: T, nonces: (G0, G1)) -> (G0::Scalar, G1::Scalar) {
|
2022-07-07 07:30:10 -04:00
|
|
|
transcript.domain_separate(b"aos_membership_proof");
|
2022-11-05 18:43:36 -04:00
|
|
|
transcript.append_message(b"ring_len", u8::try_from(RING_LEN).unwrap().to_le_bytes());
|
|
|
|
|
transcript.append_message(b"nonce_0", nonces.0.to_bytes());
|
|
|
|
|
transcript.append_message(b"nonce_1", nonces.1.to_bytes());
|
2022-07-07 00:26:34 -04:00
|
|
|
mutual_scalar_from_bytes(transcript.challenge(b"challenge").as_ref())
|
2022-07-05 19:10:30 -04:00
|
|
|
}
|
|
|
|
|
|
2022-07-07 00:26:34 -04:00
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
fn R(
|
2022-07-05 19:10:30 -04:00
|
|
|
generators: (Generators<G0>, Generators<G1>),
|
2022-07-07 00:26:34 -04:00
|
|
|
s: (G0::Scalar, G1::Scalar),
|
|
|
|
|
A: (G0, G1),
|
2022-07-15 01:26:07 -04:00
|
|
|
e: (G0::Scalar, G1::Scalar),
|
2022-07-07 00:26:34 -04:00
|
|
|
) -> (G0, G1) {
|
|
|
|
|
(((generators.0.alt * s.0) - (A.0 * e.0)), ((generators.1.alt * s.1) - (A.1 * e.1)))
|
2022-07-05 19:10:30 -04:00
|
|
|
}
|
|
|
|
|
|
2022-12-01 11:52:52 -05:00
|
|
|
#[allow(non_snake_case, clippy::type_complexity)]
|
2022-07-05 19:10:30 -04:00
|
|
|
fn R_batch(
|
|
|
|
|
generators: (Generators<G0>, Generators<G1>),
|
|
|
|
|
s: (G0::Scalar, G1::Scalar),
|
|
|
|
|
A: (G0, G1),
|
2022-07-15 01:26:07 -04:00
|
|
|
e: (G0::Scalar, G1::Scalar),
|
2022-07-05 19:10:30 -04:00
|
|
|
) -> (Vec<(G0::Scalar, G0)>, Vec<(G1::Scalar, G1)>) {
|
2022-07-07 08:27:20 -04:00
|
|
|
(vec![(-s.0, generators.0.alt), (e.0, A.0)], vec![(-s.1, generators.1.alt), (e.1, A.1)])
|
2022-07-05 19:10:30 -04:00
|
|
|
}
|
|
|
|
|
|
2022-07-07 00:26:34 -04:00
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
fn R_nonces<T: Transcript>(
|
|
|
|
|
transcript: T,
|
|
|
|
|
generators: (Generators<G0>, Generators<G1>),
|
|
|
|
|
s: (G0::Scalar, G1::Scalar),
|
|
|
|
|
A: (G0, G1),
|
2022-07-15 01:26:07 -04:00
|
|
|
e: (G0::Scalar, G1::Scalar),
|
2022-07-07 00:26:34 -04:00
|
|
|
) -> (G0::Scalar, G1::Scalar) {
|
|
|
|
|
Self::nonces(transcript, Self::R(generators, s, A, e))
|
|
|
|
|
}
|
2022-07-05 19:10:30 -04:00
|
|
|
|
2022-07-07 00:26:34 -04:00
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
pub(crate) fn prove<R: RngCore + CryptoRng, T: Clone + Transcript>(
|
2022-07-05 19:10:30 -04:00
|
|
|
rng: &mut R,
|
2023-12-17 00:01:41 -05:00
|
|
|
transcript: &T,
|
2022-07-05 19:10:30 -04:00
|
|
|
generators: (Generators<G0>, Generators<G1>),
|
|
|
|
|
ring: &[(G0, G1)],
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
mut actual: usize,
|
|
|
|
|
blinding_key: &mut (G0::Scalar, G1::Scalar),
|
2022-07-15 01:26:07 -04:00
|
|
|
mut Re_0: Re<G0, G1>,
|
2022-07-05 19:10:30 -04:00
|
|
|
) -> Self {
|
2022-07-07 00:26:34 -04:00
|
|
|
// While it is possible to use larger values, it's not efficient to do so
|
|
|
|
|
// 2 + 2 == 2^2, yet 2 + 2 + 2 < 2^3
|
|
|
|
|
debug_assert!((RING_LEN == 2) || (RING_LEN == 4));
|
|
|
|
|
debug_assert_eq!(RING_LEN, ring.len());
|
|
|
|
|
|
2023-03-28 04:38:01 -04:00
|
|
|
let mut s = [(G0::Scalar::ZERO, G1::Scalar::ZERO); RING_LEN];
|
2022-07-05 19:10:30 -04:00
|
|
|
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
let mut r = (G0::Scalar::random(&mut *rng), G1::Scalar::random(&mut *rng));
|
2022-07-05 19:10:30 -04:00
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
let original_R = (generators.0.alt * r.0, generators.1.alt * r.1);
|
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
let mut R = original_R;
|
|
|
|
|
|
2023-12-17 00:01:41 -05:00
|
|
|
for i in ((actual + 1) ..= (actual + RING_LEN)).map(|i| i % RING_LEN) {
|
2022-07-07 00:26:34 -04:00
|
|
|
let e = Self::nonces(transcript.clone(), R);
|
2022-07-05 19:10:30 -04:00
|
|
|
if i == 0 {
|
2022-07-07 00:26:34 -04:00
|
|
|
match Re_0 {
|
2022-07-15 01:26:07 -04:00
|
|
|
Re::R(ref mut R0_0, ref mut R1_0) => {
|
|
|
|
|
*R0_0 = R.0;
|
|
|
|
|
*R1_0 = R.1
|
|
|
|
|
}
|
|
|
|
|
Re::e(ref mut e_0) => *e_0 = e.0,
|
2022-07-07 00:26:34 -04:00
|
|
|
}
|
2022-07-05 19:10:30 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Solve for the real index
|
|
|
|
|
if i == actual {
|
|
|
|
|
s[i] = (r.0 + (e.0 * blinding_key.0), r.1 + (e.1 * blinding_key.1));
|
2022-07-07 00:26:34 -04:00
|
|
|
debug_assert_eq!(Self::R(generators, s[i], ring[actual], e), original_R);
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
actual.zeroize();
|
|
|
|
|
blinding_key.0.zeroize();
|
|
|
|
|
blinding_key.1.zeroize();
|
|
|
|
|
r.0.zeroize();
|
|
|
|
|
r.1.zeroize();
|
2022-07-05 19:10:30 -04:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-17 00:01:41 -05:00
|
|
|
// Generate a decoy response
|
|
|
|
|
s[i] = (G0::Scalar::random(&mut *rng), G1::Scalar::random(&mut *rng));
|
2022-07-07 00:26:34 -04:00
|
|
|
R = Self::R(generators, s[i], ring[i], e);
|
2022-07-05 19:10:30 -04:00
|
|
|
}
|
|
|
|
|
|
2022-07-07 00:26:34 -04:00
|
|
|
Aos { Re_0, s }
|
2022-07-05 19:10:30 -04:00
|
|
|
}
|
|
|
|
|
|
2022-07-07 00:26:34 -04:00
|
|
|
// Assumes the ring has already been transcripted in some form. Critically insecure if it hasn't
|
|
|
|
|
pub(crate) fn verify<R: RngCore + CryptoRng, T: Clone + Transcript>(
|
2022-07-05 19:10:30 -04:00
|
|
|
&self,
|
|
|
|
|
rng: &mut R,
|
2023-12-17 00:01:41 -05:00
|
|
|
transcript: &T,
|
2022-07-05 19:10:30 -04:00
|
|
|
generators: (Generators<G0>, Generators<G1>),
|
2022-07-07 00:26:34 -04:00
|
|
|
batch: &mut (BatchVerifier<(), G0>, BatchVerifier<(), G1>),
|
2022-07-15 01:26:07 -04:00
|
|
|
ring: &[(G0, G1)],
|
2022-07-05 19:10:30 -04:00
|
|
|
) -> Result<(), DLEqError> {
|
2022-07-07 00:26:34 -04:00
|
|
|
debug_assert!((RING_LEN == 2) || (RING_LEN == 4));
|
|
|
|
|
debug_assert_eq!(RING_LEN, ring.len());
|
|
|
|
|
|
2022-07-07 07:30:10 -04:00
|
|
|
#[allow(non_snake_case)]
|
2022-07-07 00:26:34 -04:00
|
|
|
match self.Re_0 {
|
|
|
|
|
Re::R(R0_0, R1_0) => {
|
|
|
|
|
let mut e = Self::nonces(transcript.clone(), (R0_0, R1_0));
|
2022-07-22 02:34:36 -04:00
|
|
|
#[allow(clippy::needless_range_loop)]
|
2022-07-07 00:26:34 -04:00
|
|
|
for i in 0 .. (RING_LEN - 1) {
|
|
|
|
|
e = Self::R_nonces(transcript.clone(), generators, self.s[i], ring[i], e);
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-15 01:26:07 -04:00
|
|
|
let mut statements =
|
|
|
|
|
Self::R_batch(generators, *self.s.last().unwrap(), *ring.last().unwrap(), e);
|
2023-03-28 04:38:01 -04:00
|
|
|
statements.0.push((G0::Scalar::ONE, R0_0));
|
|
|
|
|
statements.1.push((G1::Scalar::ONE, R1_0));
|
2022-07-07 00:26:34 -04:00
|
|
|
batch.0.queue(&mut *rng, (), statements.0);
|
|
|
|
|
batch.1.queue(&mut *rng, (), statements.1);
|
2022-07-15 01:26:07 -04:00
|
|
|
}
|
2022-07-07 00:26:34 -04:00
|
|
|
|
|
|
|
|
Re::e(e_0) => {
|
|
|
|
|
let e_0 = (e_0, scalar_convert(e_0).ok_or(DLEqError::InvalidChallenge)?);
|
|
|
|
|
let mut e = None;
|
2022-07-22 02:34:36 -04:00
|
|
|
#[allow(clippy::needless_range_loop)]
|
2022-07-07 00:26:34 -04:00
|
|
|
for i in 0 .. RING_LEN {
|
2022-07-15 01:26:07 -04:00
|
|
|
e = Some(Self::R_nonces(
|
|
|
|
|
transcript.clone(),
|
|
|
|
|
generators,
|
|
|
|
|
self.s[i],
|
|
|
|
|
ring[i],
|
|
|
|
|
e.unwrap_or(e_0),
|
|
|
|
|
));
|
2022-07-07 00:26:34 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Will panic if the above loop is never run somehow
|
|
|
|
|
// If e wasn't an Option, and instead initially set to e_0, it'd always pass
|
|
|
|
|
if e_0 != e.unwrap() {
|
|
|
|
|
Err(DLEqError::InvalidProof)?;
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-07-05 19:10:30 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[cfg(feature = "serialize")]
|
2023-01-01 01:54:18 -05:00
|
|
|
pub(crate) fn write<W: Write>(&self, w: &mut W) -> std::io::Result<()> {
|
2022-07-07 08:46:11 -04:00
|
|
|
#[allow(non_snake_case)]
|
2022-07-07 00:26:34 -04:00
|
|
|
match self.Re_0 {
|
|
|
|
|
Re::R(R0, R1) => {
|
|
|
|
|
w.write_all(R0.to_bytes().as_ref())?;
|
|
|
|
|
w.write_all(R1.to_bytes().as_ref())?;
|
2022-07-15 01:26:07 -04:00
|
|
|
}
|
|
|
|
|
Re::e(e) => w.write_all(e.to_repr().as_ref())?,
|
2022-07-07 00:26:34 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for i in 0 .. RING_LEN {
|
2022-07-05 19:10:30 -04:00
|
|
|
w.write_all(self.s[i].0.to_repr().as_ref())?;
|
|
|
|
|
w.write_all(self.s[i].1.to_repr().as_ref())?;
|
|
|
|
|
}
|
2022-07-07 00:26:34 -04:00
|
|
|
|
2022-07-05 19:10:30 -04:00
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-07 08:46:11 -04:00
|
|
|
#[allow(non_snake_case)]
|
2022-07-05 19:10:30 -04:00
|
|
|
#[cfg(feature = "serialize")]
|
2023-01-01 01:54:18 -05:00
|
|
|
pub(crate) fn read<R: Read>(r: &mut R, mut Re_0: Re<G0, G1>) -> std::io::Result<Self> {
|
2022-07-07 00:26:34 -04:00
|
|
|
match Re_0 {
|
2022-07-15 01:26:07 -04:00
|
|
|
Re::R(ref mut R0, ref mut R1) => {
|
|
|
|
|
*R0 = read_point(r)?;
|
|
|
|
|
*R1 = read_point(r)?
|
|
|
|
|
}
|
|
|
|
|
Re::e(ref mut e) => *e = read_scalar(r)?,
|
2022-07-07 00:26:34 -04:00
|
|
|
}
|
|
|
|
|
|
2023-03-28 04:38:01 -04:00
|
|
|
let mut s = [(G0::Scalar::ZERO, G1::Scalar::ZERO); RING_LEN];
|
2023-12-16 20:54:24 -05:00
|
|
|
for s in &mut s {
|
2022-07-22 02:34:36 -04:00
|
|
|
*s = (read_scalar(r)?, read_scalar(r)?);
|
2022-07-05 19:10:30 -04:00
|
|
|
}
|
2022-07-07 00:26:34 -04:00
|
|
|
|
|
|
|
|
Ok(Aos { Re_0, s })
|
2022-07-05 19:10:30 -04:00
|
|
|
}
|
|
|
|
|
}
|