2022-06-30 18:46:18 -04:00
|
|
|
use core::fmt::Debug;
|
2022-07-13 02:38:29 -04:00
|
|
|
use std::io::Read;
|
2022-06-24 19:47:19 -04:00
|
|
|
|
|
|
|
|
use thiserror::Error;
|
|
|
|
|
|
|
|
|
|
use rand_core::{RngCore, CryptoRng};
|
|
|
|
|
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
use zeroize::Zeroize;
|
|
|
|
|
|
2022-06-30 09:30:24 -04:00
|
|
|
use ff::{PrimeField, PrimeFieldBits};
|
2022-06-30 18:46:18 -04:00
|
|
|
use group::{Group, GroupOps, GroupEncoding, prime::PrimeGroup};
|
2022-06-24 19:47:19 -04:00
|
|
|
|
|
|
|
|
#[cfg(any(test, feature = "dalek"))]
|
|
|
|
|
mod dalek;
|
|
|
|
|
#[cfg(any(test, feature = "ristretto"))]
|
|
|
|
|
pub use dalek::{Ristretto, IetfRistrettoHram};
|
|
|
|
|
#[cfg(feature = "ed25519")]
|
|
|
|
|
pub use dalek::{Ed25519, IetfEd25519Hram};
|
|
|
|
|
|
|
|
|
|
#[cfg(feature = "kp256")]
|
|
|
|
|
mod kp256;
|
|
|
|
|
#[cfg(feature = "secp256k1")]
|
|
|
|
|
pub use kp256::{Secp256k1, NonIetfSecp256k1Hram};
|
|
|
|
|
#[cfg(feature = "p256")]
|
|
|
|
|
pub use kp256::{P256, IetfP256Hram};
|
|
|
|
|
|
|
|
|
|
/// Set of errors for curve-related operations, namely encoding and decoding
|
|
|
|
|
#[derive(Clone, Error, Debug)]
|
|
|
|
|
pub enum CurveError {
|
|
|
|
|
#[error("invalid scalar")]
|
|
|
|
|
InvalidScalar,
|
|
|
|
|
#[error("invalid point")]
|
|
|
|
|
InvalidPoint,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Unified trait to manage a field/group
|
|
|
|
|
// This should be moved into its own crate if the need for generic cryptography over ff/group
|
|
|
|
|
// continues, which is the exact reason ff/group exists (to provide a generic interface)
|
|
|
|
|
// elliptic-curve exists, yet it doesn't really serve the same role, nor does it use &[u8]/Vec<u8>
|
|
|
|
|
// It uses GenericArray which will hopefully be deprecated as Rust evolves and doesn't offer enough
|
|
|
|
|
// advantages in the modern day to be worth the hassle -- Kayaba
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
pub trait Curve: Clone + Copy + PartialEq + Eq + Debug + Zeroize {
|
2022-06-24 19:47:19 -04:00
|
|
|
/// Scalar field element type
|
|
|
|
|
// This is available via G::Scalar yet `C::G::Scalar` is ambiguous, forcing horrific accesses
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
type F: PrimeField + PrimeFieldBits + Zeroize;
|
2022-06-24 19:47:19 -04:00
|
|
|
/// Group element type
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
type G: Group<Scalar = Self::F> + GroupOps + PrimeGroup + Zeroize;
|
2022-06-24 19:47:19 -04:00
|
|
|
|
|
|
|
|
/// ID for this curve
|
|
|
|
|
const ID: &'static [u8];
|
|
|
|
|
|
|
|
|
|
/// Generator for the group
|
2022-06-30 18:46:18 -04:00
|
|
|
// While group does provide this in its API, privacy coins may want to use a custom basepoint
|
2022-08-13 05:07:07 -04:00
|
|
|
fn generator() -> Self::G;
|
2022-06-24 19:47:19 -04:00
|
|
|
|
|
|
|
|
/// Hash the message for the binding factor. H3 from the IETF draft
|
|
|
|
|
// This doesn't actually need to be part of Curve as it does nothing with the curve
|
|
|
|
|
// This also solely relates to FROST and with a proper Algorithm/HRAM, all projects using
|
|
|
|
|
// aggregatable signatures over this curve will work without issue
|
2022-08-13 08:50:30 -04:00
|
|
|
// It is kept here as Curve + H{1, 2, 3, 4} is effectively a ciphersuite according to the IETF
|
|
|
|
|
// draft and moving it to Schnorr would force all of them into being ciphersuite-specific
|
2022-06-24 19:47:19 -04:00
|
|
|
// H2 is left to the Schnorr Algorithm as H2 is the H used in HRAM, which Schnorr further
|
|
|
|
|
// modularizes
|
|
|
|
|
fn hash_msg(msg: &[u8]) -> Vec<u8>;
|
|
|
|
|
|
|
|
|
|
/// Hash the commitments and message to calculate the binding factor. H1 from the IETF draft
|
|
|
|
|
fn hash_binding_factor(binding: &[u8]) -> Self::F;
|
|
|
|
|
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
/// Securely generate a random nonce. H4 from the IETF draft
|
|
|
|
|
fn random_nonce<R: RngCore + CryptoRng>(mut secret: Self::F, rng: &mut R) -> Self::F {
|
|
|
|
|
let mut seed = vec![0; 32];
|
|
|
|
|
rng.fill_bytes(&mut seed);
|
|
|
|
|
|
|
|
|
|
let mut repr = secret.to_repr();
|
|
|
|
|
secret.zeroize();
|
|
|
|
|
|
|
|
|
|
seed.extend(repr.as_ref());
|
|
|
|
|
for i in repr.as_mut() {
|
2022-08-12 01:14:13 -04:00
|
|
|
i.zeroize();
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let res = Self::hash_to_F(b"nonce", &seed);
|
|
|
|
|
seed.zeroize();
|
|
|
|
|
res
|
|
|
|
|
}
|
2022-06-24 19:47:19 -04:00
|
|
|
|
|
|
|
|
/// Field element from hash. Used during key gen and by other crates under Serai as a general
|
|
|
|
|
/// utility
|
|
|
|
|
// Not parameterized by Digest as it's fine for it to use its own hash function as relevant to
|
|
|
|
|
// hash_msg and hash_binding_factor
|
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
fn hash_to_F(dst: &[u8], msg: &[u8]) -> Self::F;
|
|
|
|
|
|
2022-07-13 02:38:29 -04:00
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
fn F_len() -> usize {
|
|
|
|
|
<Self::F as PrimeField>::Repr::default().as_ref().len()
|
|
|
|
|
}
|
2022-06-28 01:25:26 -04:00
|
|
|
|
2022-07-13 02:38:29 -04:00
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
fn G_len() -> usize {
|
|
|
|
|
<Self::G as GroupEncoding>::Repr::default().as_ref().len()
|
2022-06-28 01:25:26 -04:00
|
|
|
}
|
2022-06-24 19:47:19 -04:00
|
|
|
|
2022-07-13 02:38:29 -04:00
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
fn read_F<R: Read>(r: &mut R) -> Result<Self::F, CurveError> {
|
|
|
|
|
let mut encoding = <Self::F as PrimeField>::Repr::default();
|
|
|
|
|
r.read_exact(encoding.as_mut()).map_err(|_| CurveError::InvalidScalar)?;
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
|
2022-07-13 02:38:29 -04:00
|
|
|
// ff mandates this is canonical
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
let res =
|
|
|
|
|
Option::<Self::F>::from(Self::F::from_repr(encoding)).ok_or(CurveError::InvalidScalar);
|
|
|
|
|
for b in encoding.as_mut() {
|
2022-08-12 01:14:13 -04:00
|
|
|
b.zeroize();
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
}
|
|
|
|
|
res
|
2022-07-13 02:38:29 -04:00
|
|
|
}
|
2022-06-28 01:25:26 -04:00
|
|
|
|
2022-07-13 02:38:29 -04:00
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
fn read_G<R: Read>(r: &mut R) -> Result<Self::G, CurveError> {
|
|
|
|
|
let mut encoding = <Self::G as GroupEncoding>::Repr::default();
|
|
|
|
|
r.read_exact(encoding.as_mut()).map_err(|_| CurveError::InvalidPoint)?;
|
|
|
|
|
|
2022-07-15 01:26:07 -04:00
|
|
|
let point =
|
|
|
|
|
Option::<Self::G>::from(Self::G::from_bytes(&encoding)).ok_or(CurveError::InvalidPoint)?;
|
2022-07-13 02:38:29 -04:00
|
|
|
// Ban the identity, per the FROST spec, and non-canonical points
|
|
|
|
|
if (point.is_identity().into()) || (point.to_bytes().as_ref() != encoding.as_ref()) {
|
|
|
|
|
Err(CurveError::InvalidPoint)?;
|
|
|
|
|
}
|
|
|
|
|
Ok(point)
|
2022-06-28 01:25:26 -04:00
|
|
|
}
|
2022-06-24 19:47:19 -04:00
|
|
|
}
|