2022-06-30 18:46:18 -04:00
|
|
|
use core::fmt::Debug;
|
2022-07-13 02:38:29 -04:00
|
|
|
use std::io::Read;
|
2022-06-24 19:47:19 -04:00
|
|
|
|
|
|
|
|
use thiserror::Error;
|
|
|
|
|
|
|
|
|
|
use rand_core::{RngCore, CryptoRng};
|
|
|
|
|
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
use zeroize::Zeroize;
|
|
|
|
|
|
2022-06-30 09:30:24 -04:00
|
|
|
use ff::{PrimeField, PrimeFieldBits};
|
2022-06-30 18:46:18 -04:00
|
|
|
use group::{Group, GroupOps, GroupEncoding, prime::PrimeGroup};
|
2022-06-24 19:47:19 -04:00
|
|
|
|
|
|
|
|
#[cfg(any(test, feature = "dalek"))]
|
|
|
|
|
mod dalek;
|
|
|
|
|
#[cfg(any(test, feature = "ristretto"))]
|
|
|
|
|
pub use dalek::{Ristretto, IetfRistrettoHram};
|
|
|
|
|
#[cfg(feature = "ed25519")]
|
|
|
|
|
pub use dalek::{Ed25519, IetfEd25519Hram};
|
|
|
|
|
|
|
|
|
|
#[cfg(feature = "kp256")]
|
|
|
|
|
mod kp256;
|
|
|
|
|
#[cfg(feature = "secp256k1")]
|
2022-08-26 05:59:43 -04:00
|
|
|
pub use kp256::{Secp256k1, IetfSecp256k1Hram};
|
2022-06-24 19:47:19 -04:00
|
|
|
#[cfg(feature = "p256")]
|
|
|
|
|
pub use kp256::{P256, IetfP256Hram};
|
|
|
|
|
|
2022-08-29 02:32:59 -05:00
|
|
|
#[cfg(feature = "ed448")]
|
|
|
|
|
mod ed448;
|
|
|
|
|
#[cfg(feature = "ed448")]
|
|
|
|
|
pub use ed448::{Ed448, Ietf8032Ed448Hram, NonIetfEd448Hram};
|
|
|
|
|
|
2022-09-29 05:25:29 -04:00
|
|
|
/// Set of errors for curve-related operations, namely encoding and decoding.
|
2022-06-24 19:47:19 -04:00
|
|
|
#[derive(Clone, Error, Debug)]
|
|
|
|
|
pub enum CurveError {
|
|
|
|
|
#[error("invalid scalar")]
|
|
|
|
|
InvalidScalar,
|
|
|
|
|
#[error("invalid point")]
|
|
|
|
|
InvalidPoint,
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-29 05:25:29 -04:00
|
|
|
/// Unified trait to manage an elliptic curve.
|
2022-06-24 19:47:19 -04:00
|
|
|
// This should be moved into its own crate if the need for generic cryptography over ff/group
|
|
|
|
|
// continues, which is the exact reason ff/group exists (to provide a generic interface)
|
|
|
|
|
// elliptic-curve exists, yet it doesn't really serve the same role, nor does it use &[u8]/Vec<u8>
|
|
|
|
|
// It uses GenericArray which will hopefully be deprecated as Rust evolves and doesn't offer enough
|
|
|
|
|
// advantages in the modern day to be worth the hassle -- Kayaba
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
pub trait Curve: Clone + Copy + PartialEq + Eq + Debug + Zeroize {
|
2022-09-29 05:25:29 -04:00
|
|
|
/// Scalar field element type.
|
2022-06-24 19:47:19 -04:00
|
|
|
// This is available via G::Scalar yet `C::G::Scalar` is ambiguous, forcing horrific accesses
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
type F: PrimeField + PrimeFieldBits + Zeroize;
|
2022-09-29 05:25:29 -04:00
|
|
|
/// Group element type.
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
type G: Group<Scalar = Self::F> + GroupOps + PrimeGroup + Zeroize;
|
2022-06-24 19:47:19 -04:00
|
|
|
|
2022-09-29 05:25:29 -04:00
|
|
|
/// ID for this curve.
|
2022-06-24 19:47:19 -04:00
|
|
|
const ID: &'static [u8];
|
|
|
|
|
|
2022-09-29 05:25:29 -04:00
|
|
|
/// Generator for the group.
|
2022-06-30 18:46:18 -04:00
|
|
|
// While group does provide this in its API, privacy coins may want to use a custom basepoint
|
2022-08-13 05:07:07 -04:00
|
|
|
fn generator() -> Self::G;
|
2022-06-24 19:47:19 -04:00
|
|
|
|
2022-08-26 05:59:43 -04:00
|
|
|
/// Hash the given dst and data to a byte vector. Used to instantiate H4 and H5.
|
|
|
|
|
fn hash_to_vec(dst: &[u8], data: &[u8]) -> Vec<u8>;
|
|
|
|
|
|
|
|
|
|
/// Field element from hash. Used during key gen and by other crates under Serai as a general
|
|
|
|
|
/// utility. Used to instantiate H1 and H3.
|
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
fn hash_to_F(dst: &[u8], msg: &[u8]) -> Self::F;
|
|
|
|
|
|
2022-09-29 05:25:29 -04:00
|
|
|
/// Hash the message for the binding factor. H4 from the IETF draft.
|
2022-08-26 05:59:43 -04:00
|
|
|
fn hash_msg(msg: &[u8]) -> Vec<u8> {
|
|
|
|
|
Self::hash_to_vec(b"msg", msg)
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-29 05:25:29 -04:00
|
|
|
/// Hash the commitments for the binding factor. H5 from the IETF draft.
|
2022-08-26 05:59:43 -04:00
|
|
|
fn hash_commitments(commitments: &[u8]) -> Vec<u8> {
|
|
|
|
|
Self::hash_to_vec(b"com", commitments)
|
|
|
|
|
}
|
2022-06-24 19:47:19 -04:00
|
|
|
|
2022-09-29 05:25:29 -04:00
|
|
|
/// Hash the commitments and message to calculate the binding factor. H1 from the IETF draft.
|
2022-08-26 05:59:43 -04:00
|
|
|
fn hash_binding_factor(binding: &[u8]) -> Self::F {
|
|
|
|
|
Self::hash_to_F(b"rho", binding)
|
|
|
|
|
}
|
2022-06-24 19:47:19 -04:00
|
|
|
|
2022-09-29 05:25:29 -04:00
|
|
|
/// Securely generate a random nonce. H3 from the IETF draft.
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
fn random_nonce<R: RngCore + CryptoRng>(mut secret: Self::F, rng: &mut R) -> Self::F {
|
|
|
|
|
let mut seed = vec![0; 32];
|
|
|
|
|
rng.fill_bytes(&mut seed);
|
|
|
|
|
|
|
|
|
|
let mut repr = secret.to_repr();
|
|
|
|
|
secret.zeroize();
|
|
|
|
|
|
|
|
|
|
seed.extend(repr.as_ref());
|
|
|
|
|
for i in repr.as_mut() {
|
2022-08-12 01:14:13 -04:00
|
|
|
i.zeroize();
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let res = Self::hash_to_F(b"nonce", &seed);
|
|
|
|
|
seed.zeroize();
|
|
|
|
|
res
|
|
|
|
|
}
|
2022-06-24 19:47:19 -04:00
|
|
|
|
2022-07-13 02:38:29 -04:00
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
fn F_len() -> usize {
|
|
|
|
|
<Self::F as PrimeField>::Repr::default().as_ref().len()
|
|
|
|
|
}
|
2022-06-28 01:25:26 -04:00
|
|
|
|
2022-07-13 02:38:29 -04:00
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
fn G_len() -> usize {
|
|
|
|
|
<Self::G as GroupEncoding>::Repr::default().as_ref().len()
|
2022-06-28 01:25:26 -04:00
|
|
|
}
|
2022-06-24 19:47:19 -04:00
|
|
|
|
2022-07-13 02:38:29 -04:00
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
fn read_F<R: Read>(r: &mut R) -> Result<Self::F, CurveError> {
|
|
|
|
|
let mut encoding = <Self::F as PrimeField>::Repr::default();
|
|
|
|
|
r.read_exact(encoding.as_mut()).map_err(|_| CurveError::InvalidScalar)?;
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
|
2022-07-13 02:38:29 -04:00
|
|
|
// ff mandates this is canonical
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
let res =
|
|
|
|
|
Option::<Self::F>::from(Self::F::from_repr(encoding)).ok_or(CurveError::InvalidScalar);
|
|
|
|
|
for b in encoding.as_mut() {
|
2022-08-12 01:14:13 -04:00
|
|
|
b.zeroize();
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
}
|
|
|
|
|
res
|
2022-07-13 02:38:29 -04:00
|
|
|
}
|
2022-06-28 01:25:26 -04:00
|
|
|
|
2022-07-13 02:38:29 -04:00
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
fn read_G<R: Read>(r: &mut R) -> Result<Self::G, CurveError> {
|
|
|
|
|
let mut encoding = <Self::G as GroupEncoding>::Repr::default();
|
|
|
|
|
r.read_exact(encoding.as_mut()).map_err(|_| CurveError::InvalidPoint)?;
|
|
|
|
|
|
2022-07-15 01:26:07 -04:00
|
|
|
let point =
|
|
|
|
|
Option::<Self::G>::from(Self::G::from_bytes(&encoding)).ok_or(CurveError::InvalidPoint)?;
|
2022-07-13 02:38:29 -04:00
|
|
|
// Ban the identity, per the FROST spec, and non-canonical points
|
|
|
|
|
if (point.is_identity().into()) || (point.to_bytes().as_ref() != encoding.as_ref()) {
|
|
|
|
|
Err(CurveError::InvalidPoint)?;
|
|
|
|
|
}
|
|
|
|
|
Ok(point)
|
2022-06-28 01:25:26 -04:00
|
|
|
}
|
2022-06-24 19:47:19 -04:00
|
|
|
}
|