crypto/ciphersuite/src/kp256.rs

use zeroize::Zeroize;

use sha2::{Digest, Sha256};

use group::ff::{Field, PrimeField};

use elliptic_curve::{
  generic_array::GenericArray,
  bigint::{Encoding, U384},
  hash2curve::{Expander, ExpandMsg, ExpandMsgXmd},
};

use crate::Ciphersuite;

macro_rules! kp_curve {
  (
    $feature: literal,
    $lib:     ident,

    $Ciphersuite: ident,
    $ID:          literal
  ) => {
    #[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
    pub struct $Ciphersuite;
    impl Ciphersuite for $Ciphersuite {
      type F = $lib::Scalar;
      type G = $lib::ProjectivePoint;
      type H = Sha256;

      const ID: &'static [u8] = $ID;

      fn generator() -> Self::G {
        $lib::ProjectivePoint::GENERATOR
      }

      fn hash_to_F(dst: &[u8], msg: &[u8]) -> Self::F {
        let mut dst = dst;
        let oversize = Sha256::digest([b"H2C-OVERSIZE-DST-".as_ref(), dst].concat());
        if dst.len() > 255 {
          dst = oversize.as_ref();
        }

        // While one of these two libraries does support directly hashing to the Scalar field, the
        // other doesn't. While that's probably an oversight, this is a universally working method
        let mut modulus = [0; 48];
        modulus[16 ..].copy_from_slice(&(Self::F::zero() - Self::F::one()).to_bytes());
        let modulus = U384::from_be_slice(&modulus).wrapping_add(&U384::ONE);

        let mut unreduced = U384::from_be_bytes({
          let mut bytes = [0; 48];
          ExpandMsgXmd::<Sha256>::expand_message(&[msg], dst, 48).unwrap().fill_bytes(&mut bytes);
          bytes
        })
        .reduce(&modulus)
        .unwrap()
        .to_be_bytes();

        let mut array = *GenericArray::from_slice(&unreduced[16 ..]);
        let res = $lib::Scalar::from_repr(array).unwrap();
        unreduced.zeroize();
        array.zeroize();
        res
      }
    }
  };
}

#[cfg(feature = "p256")]
kp_curve!("p256", p256, P256, b"P-256");
#[cfg(feature = "p256")]
#[test]
fn test_p256() {
  ff_group_tests::group::test_prime_group_bits::<p256::ProjectivePoint>();
}

#[cfg(feature = "secp256k1")]
kp_curve!("secp256k1", k256, Secp256k1, b"secp256k1");
#[cfg(feature = "secp256k1")]
#[test]
fn test_secp256k1() {
  ff_group_tests::group::test_prime_group_bits::<k256::ProjectivePoint>();
}
Create a dedicated crate for the DKG (#141) * Add dkg crate * Remove F_len and G_len They're generally no longer used. * Replace hash_to_vec with a provided method around associated type H: Digest Part of trying to minimize this trait so it can be moved elsewhere. Vec, which isn't std, may have been a blocker. * Encrypt secret shares within the FROST library Reduces requirements on callers in order to be correct. * Update usage of Zeroize within FROST * Inline functions in key_gen There was no reason to have them separated as they were. sign probably has the same statement available, yet that isn't the focus right now. * Add a ciphersuite package which provides hash_to_F * Set the Ciphersuite version to something valid * Have ed448 export Scalar/FieldElement/Point at the top level * Move FROST over to Ciphersuite * Correct usage of ff in ciphersuite * Correct documentation handling * Move Schnorr signatures to their own crate * Remove unused feature from schnorr * Fix Schnorr tests * Split DKG into a separate crate * Add serialize to Commitments and SecretShare Helper for buf = vec![]; .write(buf).unwrap(); buf * Move FROST over to the new dkg crate * Update Monero lib to latest FROST * Correct ethereum's usage of features * Add serialize to GeneratorProof * Add serialize helper function to FROST * Rename AddendumSerialize to WriteAddendum * Update processor * Slight fix to processor 2022-10-29 03:54:42 -05:00			`use zeroize::Zeroize;`

			`use sha2::{Digest, Sha256};`

			`use group::ff::{Field, PrimeField};`

			`use elliptic_curve::{`
			`generic_array::GenericArray,`
			`bigint::{Encoding, U384},`
			`hash2curve::{Expander, ExpandMsg, ExpandMsgXmd},`
			`};`

			`use crate::Ciphersuite;`

			`macro_rules! kp_curve {`
			`(`
			`$feature: literal,`
			`$lib: ident,`

			`$Ciphersuite: ident,`
			`$ID: literal`
			`) => {`
			`#[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]`
			`pub struct $Ciphersuite;`
			`impl Ciphersuite for $Ciphersuite {`
			`type F = $lib::Scalar;`
			`type G = $lib::ProjectivePoint;`
			`type H = Sha256;`

			`const ID: &'static [u8] = $ID;`

			`fn generator() -> Self::G {`
			`$lib::ProjectivePoint::GENERATOR`
			`}`

			`fn hash_to_F(dst: &[u8], msg: &[u8]) -> Self::F {`
			`let mut dst = dst;`
			`let oversize = Sha256::digest([b"H2C-OVERSIZE-DST-".as_ref(), dst].concat());`
			`if dst.len() > 255 {`
			`dst = oversize.as_ref();`
			`}`

			`// While one of these two libraries does support directly hashing to the Scalar field, the`
			`// other doesn't. While that's probably an oversight, this is a universally working method`
			`let mut modulus = [0; 48];`
			`modulus[16 ..].copy_from_slice(&(Self::F::zero() - Self::F::one()).to_bytes());`
			`let modulus = U384::from_be_slice(&modulus).wrapping_add(&U384::ONE);`

			`let mut unreduced = U384::from_be_bytes({`
			`let mut bytes = [0; 48];`
			`ExpandMsgXmd::<Sha256>::expand_message(&[msg], dst, 48).unwrap().fill_bytes(&mut bytes);`
			`bytes`
			`})`
			`.reduce(&modulus)`
			`.unwrap()`
			`.to_be_bytes();`

			`let mut array = *GenericArray::from_slice(&unreduced[16 ..]);`
			`let res = $lib::Scalar::from_repr(array).unwrap();`
			`unreduced.zeroize();`
			`array.zeroize();`
			`res`
			`}`
			`}`
			`};`
			`}`

			`#[cfg(feature = "p256")]`
			`kp_curve!("p256", p256, P256, b"P-256");`
Re-organize testing strategy and document Ciphersuite::hash_to_F. 2022-12-24 17:08:22 -05:00			`#[cfg(feature = "p256")]`
			`#[test]`
			`fn test_p256() {`
			`ff_group_tests::group::test_prime_group_bits::<p256::ProjectivePoint>();`
			`}`
Create a dedicated crate for the DKG (#141) * Add dkg crate * Remove F_len and G_len They're generally no longer used. * Replace hash_to_vec with a provided method around associated type H: Digest Part of trying to minimize this trait so it can be moved elsewhere. Vec, which isn't std, may have been a blocker. * Encrypt secret shares within the FROST library Reduces requirements on callers in order to be correct. * Update usage of Zeroize within FROST * Inline functions in key_gen There was no reason to have them separated as they were. sign probably has the same statement available, yet that isn't the focus right now. * Add a ciphersuite package which provides hash_to_F * Set the Ciphersuite version to something valid * Have ed448 export Scalar/FieldElement/Point at the top level * Move FROST over to Ciphersuite * Correct usage of ff in ciphersuite * Correct documentation handling * Move Schnorr signatures to their own crate * Remove unused feature from schnorr * Fix Schnorr tests * Split DKG into a separate crate * Add serialize to Commitments and SecretShare Helper for buf = vec![]; .write(buf).unwrap(); buf * Move FROST over to the new dkg crate * Update Monero lib to latest FROST * Correct ethereum's usage of features * Add serialize to GeneratorProof * Add serialize helper function to FROST * Rename AddendumSerialize to WriteAddendum * Update processor * Slight fix to processor 2022-10-29 03:54:42 -05:00
			`#[cfg(feature = "secp256k1")]`
			`kp_curve!("secp256k1", k256, Secp256k1, b"secp256k1");`
Re-organize testing strategy and document Ciphersuite::hash_to_F. 2022-12-24 17:08:22 -05:00			`#[cfg(feature = "secp256k1")]`
			`#[test]`
			`fn test_secp256k1() {`
			`ff_group_tests::group::test_prime_group_bits::<k256::ProjectivePoint>();`
			`}`