2022-04-29 22:03:34 -04:00
|
|
|
use core::fmt::Debug;
|
2022-07-15 01:26:07 -04:00
|
|
|
use std::{
|
|
|
|
|
io::Read,
|
|
|
|
|
sync::{Arc, RwLock},
|
|
|
|
|
};
|
2022-04-29 22:03:34 -04:00
|
|
|
|
2022-05-06 07:33:08 -04:00
|
|
|
use rand_core::{RngCore, CryptoRng, SeedableRng};
|
|
|
|
|
use rand_chacha::ChaCha12Rng;
|
2022-04-21 21:36:18 -04:00
|
|
|
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
use zeroize::{Zeroize, ZeroizeOnDrop};
|
|
|
|
|
|
2022-04-21 21:36:18 -04:00
|
|
|
use curve25519_dalek::{
|
|
|
|
|
constants::ED25519_BASEPOINT_TABLE,
|
2022-07-12 01:28:01 -04:00
|
|
|
traits::{Identity, IsIdentity},
|
2022-04-21 21:36:18 -04:00
|
|
|
scalar::Scalar,
|
2022-07-15 01:26:07 -04:00
|
|
|
edwards::EdwardsPoint,
|
2022-04-21 21:36:18 -04:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
use group::Group;
|
2022-05-03 07:20:24 -04:00
|
|
|
|
2022-06-24 18:58:24 -04:00
|
|
|
use transcript::{Transcript, RecommendedTranscript};
|
2022-06-28 00:06:12 -04:00
|
|
|
use frost::{curve::Ed25519, FrostError, FrostView, algorithm::Algorithm};
|
2022-05-03 08:49:46 -04:00
|
|
|
use dalek_ff_group as dfg;
|
2022-04-21 21:36:18 -04:00
|
|
|
|
|
|
|
|
use crate::{
|
2022-06-30 05:42:29 -04:00
|
|
|
frost::{MultisigError, write_dleq, read_dleq},
|
2022-07-15 01:26:07 -04:00
|
|
|
ringct::{
|
|
|
|
|
hash_to_point,
|
|
|
|
|
clsag::{ClsagInput, Clsag},
|
|
|
|
|
},
|
2022-04-21 21:36:18 -04:00
|
|
|
};
|
|
|
|
|
|
2022-05-21 15:33:35 -04:00
|
|
|
impl ClsagInput {
|
2022-06-24 18:58:24 -04:00
|
|
|
fn transcript<T: Transcript>(&self, transcript: &mut T) {
|
2022-05-06 07:33:08 -04:00
|
|
|
// Doesn't domain separate as this is considered part of the larger CLSAG proof
|
2022-05-06 01:35:23 -04:00
|
|
|
|
2022-05-03 07:20:24 -04:00
|
|
|
// Ring index
|
2022-05-06 19:07:37 -04:00
|
|
|
transcript.append_message(b"ring_index", &[self.decoys.i]);
|
2022-05-03 07:20:24 -04:00
|
|
|
|
|
|
|
|
// Ring
|
|
|
|
|
let mut ring = vec![];
|
2022-05-06 19:07:37 -04:00
|
|
|
for pair in &self.decoys.ring {
|
2022-05-03 07:20:24 -04:00
|
|
|
// Doesn't include global output indexes as CLSAG doesn't care and won't be affected by it
|
2022-05-06 19:07:37 -04:00
|
|
|
// They're just a unreliable reference to this data which will be included in the message
|
|
|
|
|
// if in use
|
2022-05-03 07:20:24 -04:00
|
|
|
ring.extend(&pair[0].compress().to_bytes());
|
|
|
|
|
ring.extend(&pair[1].compress().to_bytes());
|
|
|
|
|
}
|
|
|
|
|
transcript.append_message(b"ring", &ring);
|
|
|
|
|
|
|
|
|
|
// Doesn't include the commitment's parts as the above ring + index includes the commitment
|
|
|
|
|
// The only potential malleability would be if the G/H relationship is known breaking the
|
|
|
|
|
// discrete log problem, which breaks everything already
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
#[derive(Clone, Debug, Zeroize, ZeroizeOnDrop)]
|
2022-08-21 11:29:01 -04:00
|
|
|
pub struct ClsagDetails {
|
2022-05-21 15:33:35 -04:00
|
|
|
input: ClsagInput,
|
2022-07-15 01:26:07 -04:00
|
|
|
mask: Scalar,
|
2022-05-06 19:07:37 -04:00
|
|
|
}
|
|
|
|
|
|
2022-05-21 15:33:35 -04:00
|
|
|
impl ClsagDetails {
|
2022-08-21 11:29:01 -04:00
|
|
|
pub fn new(input: ClsagInput, mask: Scalar) -> ClsagDetails {
|
2022-05-21 15:33:35 -04:00
|
|
|
ClsagDetails { input, mask }
|
2022-05-06 19:07:37 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-21 21:36:18 -04:00
|
|
|
#[allow(non_snake_case)]
|
2022-07-22 02:34:36 -04:00
|
|
|
#[derive(Clone, PartialEq, Eq, Debug)]
|
2022-05-06 19:07:37 -04:00
|
|
|
struct Interim {
|
2022-05-13 20:26:29 -04:00
|
|
|
p: Scalar,
|
2022-04-21 21:36:18 -04:00
|
|
|
c: Scalar,
|
|
|
|
|
|
|
|
|
|
clsag: Clsag,
|
2022-07-15 01:26:07 -04:00
|
|
|
pseudo_out: EdwardsPoint,
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[allow(non_snake_case)]
|
2022-06-05 07:33:15 -04:00
|
|
|
#[derive(Clone, Debug)]
|
2022-05-21 15:33:35 -04:00
|
|
|
pub struct ClsagMultisig {
|
2022-06-24 18:58:24 -04:00
|
|
|
transcript: RecommendedTranscript,
|
2022-05-06 07:33:08 -04:00
|
|
|
|
2022-05-17 19:15:53 -04:00
|
|
|
H: EdwardsPoint,
|
2022-07-15 01:26:07 -04:00
|
|
|
// Merged here as CLSAG needs it, passing it would be a mess, yet having it beforehand requires
|
|
|
|
|
// an extra round
|
2022-05-03 07:20:24 -04:00
|
|
|
image: EdwardsPoint,
|
2022-04-21 21:36:18 -04:00
|
|
|
|
2022-06-05 07:33:15 -04:00
|
|
|
details: Arc<RwLock<Option<ClsagDetails>>>,
|
2022-04-29 22:03:34 -04:00
|
|
|
|
2022-05-18 00:53:13 -04:00
|
|
|
msg: Option<[u8; 32]>,
|
2022-07-15 01:26:07 -04:00
|
|
|
interim: Option<Interim>,
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
|
|
|
|
|
2022-05-21 15:33:35 -04:00
|
|
|
impl ClsagMultisig {
|
2022-04-29 15:28:04 -04:00
|
|
|
pub fn new(
|
2022-06-24 18:58:24 -04:00
|
|
|
transcript: RecommendedTranscript,
|
2022-07-12 01:28:01 -04:00
|
|
|
output_key: EdwardsPoint,
|
2022-07-15 01:26:07 -04:00
|
|
|
details: Arc<RwLock<Option<ClsagDetails>>>,
|
2022-05-21 15:33:35 -04:00
|
|
|
) -> Result<ClsagMultisig, MultisigError> {
|
2022-07-15 01:26:07 -04:00
|
|
|
Ok(ClsagMultisig {
|
|
|
|
|
transcript,
|
2022-05-06 07:33:08 -04:00
|
|
|
|
2022-07-15 01:26:07 -04:00
|
|
|
H: hash_to_point(output_key),
|
|
|
|
|
image: EdwardsPoint::identity(),
|
2022-04-21 21:36:18 -04:00
|
|
|
|
2022-07-15 01:26:07 -04:00
|
|
|
details,
|
2022-04-30 01:43:15 -04:00
|
|
|
|
2022-07-15 01:26:07 -04:00
|
|
|
msg: None,
|
|
|
|
|
interim: None,
|
|
|
|
|
})
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
2022-04-30 04:32:19 -04:00
|
|
|
|
2022-08-21 11:29:01 -04:00
|
|
|
pub(crate) const fn serialized_len() -> usize {
|
|
|
|
|
32 + (2 * 32)
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-21 15:33:35 -04:00
|
|
|
fn input(&self) -> ClsagInput {
|
2022-06-05 07:33:15 -04:00
|
|
|
(*self.details.read().unwrap()).as_ref().unwrap().input.clone()
|
2022-05-06 19:07:37 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn mask(&self) -> Scalar {
|
2022-06-05 07:33:15 -04:00
|
|
|
(*self.details.read().unwrap()).as_ref().unwrap().mask
|
2022-05-06 19:07:37 -04:00
|
|
|
}
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
|
|
|
|
|
2022-05-21 15:33:35 -04:00
|
|
|
impl Algorithm<Ed25519> for ClsagMultisig {
|
2022-06-24 18:58:24 -04:00
|
|
|
type Transcript = RecommendedTranscript;
|
2022-04-21 21:36:18 -04:00
|
|
|
type Signature = (Clsag, EdwardsPoint);
|
|
|
|
|
|
2022-07-12 01:28:01 -04:00
|
|
|
fn nonces(&self) -> Vec<Vec<dfg::EdwardsPoint>> {
|
|
|
|
|
vec![vec![dfg::EdwardsPoint::generator(), dfg::EdwardsPoint(self.H)]]
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-21 21:36:18 -04:00
|
|
|
fn preprocess_addendum<R: RngCore + CryptoRng>(
|
2022-05-17 19:15:53 -04:00
|
|
|
&mut self,
|
2022-04-21 21:36:18 -04:00
|
|
|
rng: &mut R,
|
2022-07-15 01:26:07 -04:00
|
|
|
view: &FrostView<Ed25519>,
|
2022-04-21 21:36:18 -04:00
|
|
|
) -> Vec<u8> {
|
2022-08-21 11:29:01 -04:00
|
|
|
let mut serialized = Vec::with_capacity(Self::serialized_len());
|
2022-05-17 19:15:53 -04:00
|
|
|
serialized.extend((view.secret_share().0 * self.H).compress().to_bytes());
|
2022-06-30 05:42:29 -04:00
|
|
|
serialized.extend(write_dleq(rng, self.H, view.secret_share().0));
|
2022-04-21 21:36:18 -04:00
|
|
|
serialized
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-13 02:38:29 -04:00
|
|
|
fn process_addendum<Re: Read>(
|
2022-04-21 21:36:18 -04:00
|
|
|
&mut self,
|
2022-06-28 00:06:12 -04:00
|
|
|
view: &FrostView<Ed25519>,
|
2022-05-24 21:41:14 -04:00
|
|
|
l: u16,
|
2022-07-15 01:26:07 -04:00
|
|
|
serialized: &mut Re,
|
2022-04-21 21:36:18 -04:00
|
|
|
) -> Result<(), FrostError> {
|
2022-07-22 02:34:36 -04:00
|
|
|
if self.image.is_identity() {
|
2022-05-06 07:33:08 -04:00
|
|
|
self.transcript.domain_separate(b"CLSAG");
|
2022-05-06 19:07:37 -04:00
|
|
|
self.input().transcript(&mut self.transcript);
|
|
|
|
|
self.transcript.append_message(b"mask", &self.mask().to_bytes());
|
2022-05-06 07:33:08 -04:00
|
|
|
}
|
|
|
|
|
|
2022-05-24 21:41:14 -04:00
|
|
|
self.transcript.append_message(b"participant", &l.to_be_bytes());
|
2022-07-15 01:26:07 -04:00
|
|
|
let image = read_dleq(serialized, self.H, l, view.verification_share(l))
|
|
|
|
|
.map_err(|_| FrostError::InvalidCommitment(l))?
|
|
|
|
|
.0;
|
2022-07-13 02:38:29 -04:00
|
|
|
self.transcript.append_message(b"key_image_share", image.compress().to_bytes().as_ref());
|
|
|
|
|
self.image += image;
|
2022-04-21 21:36:18 -04:00
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-06 07:33:08 -04:00
|
|
|
fn transcript(&mut self) -> &mut Self::Transcript {
|
|
|
|
|
&mut self.transcript
|
2022-04-29 15:28:04 -04:00
|
|
|
}
|
|
|
|
|
|
2022-04-21 21:36:18 -04:00
|
|
|
fn sign_share(
|
|
|
|
|
&mut self,
|
2022-06-28 00:06:12 -04:00
|
|
|
view: &FrostView<Ed25519>,
|
2022-07-12 01:28:01 -04:00
|
|
|
nonce_sums: &[Vec<dfg::EdwardsPoint>],
|
|
|
|
|
nonces: &[dfg::Scalar],
|
2022-07-15 01:26:07 -04:00
|
|
|
msg: &[u8],
|
2022-04-21 21:36:18 -04:00
|
|
|
) -> dfg::Scalar {
|
2022-05-03 07:20:24 -04:00
|
|
|
// Use the transcript to get a seeded random number generator
|
|
|
|
|
// The transcript contains private data, preventing passive adversaries from recreating this
|
|
|
|
|
// process even if they have access to commitments (specifically, the ring index being signed
|
|
|
|
|
// for, along with the mask which should not only require knowing the shared keys yet also the
|
2022-05-06 07:33:08 -04:00
|
|
|
// input commitment masks)
|
2022-05-31 02:12:14 -04:00
|
|
|
let mut rng = ChaCha12Rng::from_seed(self.transcript.rng_seed(b"decoy_responses"));
|
2022-04-28 12:01:20 -04:00
|
|
|
|
2022-05-18 00:53:13 -04:00
|
|
|
self.msg = Some(msg.try_into().expect("CLSAG message should be 32-bytes"));
|
|
|
|
|
|
2022-04-21 21:36:18 -04:00
|
|
|
#[allow(non_snake_case)]
|
2022-05-21 15:33:35 -04:00
|
|
|
let (clsag, pseudo_out, p, c) = Clsag::sign_core(
|
2022-04-28 17:12:54 -04:00
|
|
|
&mut rng,
|
2022-04-30 01:43:15 -04:00
|
|
|
&self.image,
|
2022-05-06 19:07:37 -04:00
|
|
|
&self.input(),
|
|
|
|
|
self.mask(),
|
2022-07-22 02:34:36 -04:00
|
|
|
self.msg.as_ref().unwrap(),
|
2022-07-12 01:28:01 -04:00
|
|
|
nonce_sums[0][0].0,
|
2022-07-15 01:26:07 -04:00
|
|
|
nonce_sums[0][1].0,
|
2022-04-23 03:49:30 -04:00
|
|
|
);
|
2022-05-13 20:26:29 -04:00
|
|
|
self.interim = Some(Interim { p, c, clsag, pseudo_out });
|
2022-04-21 21:36:18 -04:00
|
|
|
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
nonces[0] - (dfg::Scalar(p) * view.secret_share())
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
|
|
|
|
|
2022-07-07 14:28:42 -04:00
|
|
|
#[must_use]
|
2022-04-21 21:36:18 -04:00
|
|
|
fn verify(
|
|
|
|
|
&self,
|
|
|
|
|
_: dfg::EdwardsPoint,
|
2022-07-12 01:28:01 -04:00
|
|
|
_: &[Vec<dfg::EdwardsPoint>],
|
2022-07-15 01:26:07 -04:00
|
|
|
sum: dfg::Scalar,
|
2022-04-21 21:36:18 -04:00
|
|
|
) -> Option<Self::Signature> {
|
|
|
|
|
let interim = self.interim.as_ref().unwrap();
|
|
|
|
|
let mut clsag = interim.clsag.clone();
|
2022-05-21 15:33:35 -04:00
|
|
|
clsag.s[usize::from(self.input().decoys.i)] = sum.0 - interim.c;
|
2022-07-15 01:26:07 -04:00
|
|
|
if clsag
|
|
|
|
|
.verify(
|
|
|
|
|
&self.input().decoys.ring,
|
|
|
|
|
&self.image,
|
|
|
|
|
&interim.pseudo_out,
|
2022-07-22 02:34:36 -04:00
|
|
|
self.msg.as_ref().unwrap(),
|
2022-07-15 01:26:07 -04:00
|
|
|
)
|
|
|
|
|
.is_ok()
|
|
|
|
|
{
|
2022-05-13 20:26:29 -04:00
|
|
|
return Some((clsag, interim.pseudo_out));
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
2022-07-22 02:34:36 -04:00
|
|
|
None
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
|
|
|
|
|
2022-07-07 14:28:42 -04:00
|
|
|
#[must_use]
|
2022-04-21 21:36:18 -04:00
|
|
|
fn verify_share(
|
|
|
|
|
&self,
|
|
|
|
|
verification_share: dfg::EdwardsPoint,
|
2022-07-12 01:28:01 -04:00
|
|
|
nonces: &[Vec<dfg::EdwardsPoint>],
|
2022-04-21 21:36:18 -04:00
|
|
|
share: dfg::Scalar,
|
|
|
|
|
) -> bool {
|
|
|
|
|
let interim = self.interim.as_ref().unwrap();
|
2022-07-22 02:34:36 -04:00
|
|
|
(&share.0 * &ED25519_BASEPOINT_TABLE) == (nonces[0][0].0 - (interim.p * verification_share.0))
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
|
|
|
|
}
|