crypto/dleq/src/lib.rs

#![cfg_attr(not(feature = "std"), no_std)]

use rand_core::{RngCore, CryptoRng};

use transcript::Transcript;

use ff::{Field, PrimeField};
use group::prime::PrimeGroup;

#[cfg(feature = "serialize")]
use std::io::{self, ErrorKind, Error, Read, Write};

#[cfg(feature = "experimental")]
pub mod cross_group;

#[cfg(test)]
mod tests;

pub(crate) fn challenge<T: Transcript, F: PrimeField>(transcript: &mut T) -> F {
  // From here, there are three ways to get a scalar under the ff/group API
  // 1: Scalar::random(ChaCha12Rng::from_seed(self.transcript.rng_seed(b"challenge")))
  // 2: Grabbing a UInt library to perform reduction by the modulus, then determining endianess
  //    and loading it in
  // 3: Iterating over each byte and manually doubling/adding. This is simplest

  // Get a wide amount of bytes to safely reduce without bias
  let target = ((usize::try_from(F::NUM_BITS).unwrap() + 7) / 8) * 2;
  let mut challenge_bytes = transcript.challenge(b"challenge").as_ref().to_vec();
  while challenge_bytes.len() < target {
    // Secure given transcripts updating on challenge
    challenge_bytes.extend(transcript.challenge(b"challenge_extension").as_ref());
  }
  challenge_bytes.truncate(target);

  let mut challenge = F::zero();
  for b in challenge_bytes {
    for _ in 0 .. 8 {
      challenge = challenge.double();
    }
    challenge += F::from(u64::from(b));
  }
  challenge
}

#[cfg(feature = "serialize")]
fn read_scalar<R: Read, F: PrimeField>(r: &mut R) -> io::Result<F> {
  let mut repr = F::Repr::default();
  r.read_exact(repr.as_mut())?;
  let scalar = F::from_repr(repr);
  if scalar.is_none().into() {
    Err(Error::new(ErrorKind::Other, "invalid scalar"))?;
  }
  Ok(scalar.unwrap())
}

#[derive(Debug)]
pub enum DLEqError {
  InvalidProof,
}

#[derive(Clone, PartialEq, Eq, Debug)]
pub struct DLEqProof<G: PrimeGroup> {
  c: G::Scalar,
  s: G::Scalar,
}

#[allow(non_snake_case)]
impl<G: PrimeGroup> DLEqProof<G> {
  fn transcript<T: Transcript>(transcript: &mut T, generator: G, nonce: G, point: G) {
    transcript.append_message(b"generator", generator.to_bytes().as_ref());
    transcript.append_message(b"nonce", nonce.to_bytes().as_ref());
    transcript.append_message(b"point", point.to_bytes().as_ref());
  }

  pub fn prove<R: RngCore + CryptoRng, T: Transcript>(
    rng: &mut R,
    transcript: &mut T,
    generators: &[G],
    scalar: G::Scalar,
  ) -> DLEqProof<G> {
    let r = G::Scalar::random(rng);

    transcript.domain_separate(b"dleq");
    for generator in generators {
      Self::transcript(transcript, *generator, *generator * r, *generator * scalar);
    }

    let c = challenge(transcript);
    let s = r + (c * scalar);

    DLEqProof { c, s }
  }

  pub fn verify<T: Transcript>(
    &self,
    transcript: &mut T,
    generators: &[G],
    points: &[G],
  ) -> Result<(), DLEqError> {
    if generators.len() != points.len() {
      Err(DLEqError::InvalidProof)?;
    }

    transcript.domain_separate(b"dleq");
    for (generator, point) in generators.iter().zip(points) {
      Self::transcript(transcript, *generator, (*generator * self.s) - (*point * self.c), *point);
    }

    if self.c != challenge(transcript) {
      Err(DLEqError::InvalidProof)?;
    }

    Ok(())
  }

  #[cfg(feature = "serialize")]
  pub fn serialize<W: Write>(&self, w: &mut W) -> io::Result<()> {
    w.write_all(self.c.to_repr().as_ref())?;
    w.write_all(self.s.to_repr().as_ref())
  }

  #[cfg(feature = "serialize")]
  pub fn deserialize<R: Read>(r: &mut R) -> io::Result<DLEqProof<G>> {
    Ok(DLEqProof { c: read_scalar(r)?, s: read_scalar(r)? })
  }
}
Update the DLEq proof for any amount of generators The two-generator limit wasn't required nor beneficial. This does theoretically optimize FROST, yet not for any current constructions. A follow up proof which would optimize current constructions has been noted in #38. Adds explicit no_std support to the core DLEq proof. Closes #34. 2022-07-13 23:29:48 -04:00			`#![cfg_attr(not(feature = "std"), no_std)]`

Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`use rand_core::{RngCore, CryptoRng};`

			`use transcript::Transcript;`

			`use ff::{Field, PrimeField};`
			`use group::prime::PrimeGroup;`

			`#[cfg(feature = "serialize")]`
			`use std::io::{self, ErrorKind, Error, Read, Write};`

Tweak DLEq README and rename the experimental_cross_group feature to just experimental 2022-07-07 09:52:10 -04:00			`#[cfg(feature = "experimental")]`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`pub mod cross_group;`

			`#[cfg(test)]`
			`mod tests;`

Unify the cross-group DLEq challenges This does reduce the strength of the challenges to that of the weaker field, yet that doesn't have any impact on whether or not this is ZK due to the key being shared across fields. Saves ~8kb. 2022-06-30 11:23:13 -04:00			`pub(crate) fn challenge<T: Transcript, F: PrimeField>(transcript: &mut T) -> F {`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`// From here, there are three ways to get a scalar under the ff/group API`
			`// 1: Scalar::random(ChaCha12Rng::from_seed(self.transcript.rng_seed(b"challenge")))`
			`// 2: Grabbing a UInt library to perform reduction by the modulus, then determining endianess`
			`// and loading it in`
			`// 3: Iterating over each byte and manually doubling/adding. This is simplest`
Support transcripts with 32-byte challenges in the DLEq crate 2022-07-09 00:38:19 -04:00
			`// Get a wide amount of bytes to safely reduce without bias`
			`let target = ((usize::try_from(F::NUM_BITS).unwrap() + 7) / 8) * 2;`
			`let mut challenge_bytes = transcript.challenge(b"challenge").as_ref().to_vec();`
			`while challenge_bytes.len() < target {`
			`// Secure given transcripts updating on challenge`
			`challenge_bytes.extend(transcript.challenge(b"challenge_extension").as_ref());`
			`}`
			`challenge_bytes.truncate(target);`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00
			`let mut challenge = F::zero();`
Support transcripts with 32-byte challenges in the DLEq crate 2022-07-09 00:38:19 -04:00			`for b in challenge_bytes {`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`for _ in 0 .. 8 {`
			`challenge = challenge.double();`
			`}`
Support transcripts with 32-byte challenges in the DLEq crate 2022-07-09 00:38:19 -04:00			`challenge += F::from(u64::from(b));`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`}`
			`challenge`
			`}`

			`#[cfg(feature = "serialize")]`
			`fn read_scalar<R: Read, F: PrimeField>(r: &mut R) -> io::Result<F> {`
			`let mut repr = F::Repr::default();`
			`r.read_exact(repr.as_mut())?;`
			`let scalar = F::from_repr(repr);`
			`if scalar.is_none().into() {`
			`Err(Error::new(ErrorKind::Other, "invalid scalar"))?;`
			`}`
			`Ok(scalar.unwrap())`
			`}`

Update the DLEq proof for any amount of generators The two-generator limit wasn't required nor beneficial. This does theoretically optimize FROST, yet not for any current constructions. A follow up proof which would optimize current constructions has been noted in #38. Adds explicit no_std support to the core DLEq proof. Closes #34. 2022-07-13 23:29:48 -04:00			`#[derive(Debug)]`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`pub enum DLEqError {`
Apply an initial set of rustfmt rules 2022-07-15 01:26:07 -04:00			`InvalidProof,`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`}`

			`#[derive(Clone, PartialEq, Eq, Debug)]`
			`pub struct DLEqProof<G: PrimeGroup> {`
			`c: G::Scalar,`
Apply an initial set of rustfmt rules 2022-07-15 01:26:07 -04:00			`s: G::Scalar,`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`}`

			`#[allow(non_snake_case)]`
			`impl<G: PrimeGroup> DLEqProof<G> {`
Update the DLEq proof for any amount of generators The two-generator limit wasn't required nor beneficial. This does theoretically optimize FROST, yet not for any current constructions. A follow up proof which would optimize current constructions has been noted in #38. Adds explicit no_std support to the core DLEq proof. Closes #34. 2022-07-13 23:29:48 -04:00			`fn transcript<T: Transcript>(transcript: &mut T, generator: G, nonce: G, point: G) {`
			`transcript.append_message(b"generator", generator.to_bytes().as_ref());`
			`transcript.append_message(b"nonce", nonce.to_bytes().as_ref());`
			`transcript.append_message(b"point", point.to_bytes().as_ref());`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`}`

			`pub fn prove<R: RngCore + CryptoRng, T: Transcript>(`
			`rng: &mut R,`
			`transcript: &mut T,`
Update the DLEq proof for any amount of generators The two-generator limit wasn't required nor beneficial. This does theoretically optimize FROST, yet not for any current constructions. A follow up proof which would optimize current constructions has been noted in #38. Adds explicit no_std support to the core DLEq proof. Closes #34. 2022-07-13 23:29:48 -04:00			`generators: &[G],`
Apply an initial set of rustfmt rules 2022-07-15 01:26:07 -04:00			`scalar: G::Scalar,`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`) -> DLEqProof<G> {`
			`let r = G::Scalar::random(rng);`
Update the DLEq proof for any amount of generators The two-generator limit wasn't required nor beneficial. This does theoretically optimize FROST, yet not for any current constructions. A follow up proof which would optimize current constructions has been noted in #38. Adds explicit no_std support to the core DLEq proof. Closes #34. 2022-07-13 23:29:48 -04:00
			`transcript.domain_separate(b"dleq");`
			`for generator in generators {`
			`Self::transcript(transcript, generator, generator * r, generator scalar);`
			`}`

			`let c = challenge(transcript);`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`let s = r + (c * scalar);`

			`DLEqProof { c, s }`
			`}`

			`pub fn verify<T: Transcript>(`
			`&self,`
			`transcript: &mut T,`
Update the DLEq proof for any amount of generators The two-generator limit wasn't required nor beneficial. This does theoretically optimize FROST, yet not for any current constructions. A follow up proof which would optimize current constructions has been noted in #38. Adds explicit no_std support to the core DLEq proof. Closes #34. 2022-07-13 23:29:48 -04:00			`generators: &[G],`
Apply an initial set of rustfmt rules 2022-07-15 01:26:07 -04:00			`points: &[G],`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`) -> Result<(), DLEqError> {`
Update the DLEq proof for any amount of generators The two-generator limit wasn't required nor beneficial. This does theoretically optimize FROST, yet not for any current constructions. A follow up proof which would optimize current constructions has been noted in #38. Adds explicit no_std support to the core DLEq proof. Closes #34. 2022-07-13 23:29:48 -04:00			`if generators.len() != points.len() {`
			`Err(DLEqError::InvalidProof)?;`
			`}`

			`transcript.domain_separate(b"dleq");`
			`for (generator, point) in generators.iter().zip(points) {`
			`Self::transcript(transcript, generator, (generator * self.s) - (point self.c), *point);`
			`}`

			`if self.c != challenge(transcript) {`
Implement a DLEq library While Serai only needs the simple DLEq which was already present under monero, this migrates the implementation of the cross-group DLEq I maintain into Serai. This was to have full access to the ecosystem of libraries built under Serai while also ensuring support for it. The cross_group curve, which is extremely experimental, is feature flagged off. So is the built in serialization functionality, as this should be possible to make nostd once const generics are full featured, yet the implemented serialization adds the additional barrier of std::io. 2022-06-30 05:42:29 -04:00			`Err(DLEqError::InvalidProof)?;`
			`}`

			`Ok(())`
			`}`

			`#[cfg(feature = "serialize")]`
			`pub fn serialize<W: Write>(&self, w: &mut W) -> io::Result<()> {`
			`w.write_all(self.c.to_repr().as_ref())?;`
			`w.write_all(self.s.to_repr().as_ref())`
			`}`

			`#[cfg(feature = "serialize")]`
			`pub fn deserialize<R: Read>(r: &mut R) -> io::Result<DLEqProof<G>> {`
			`Ok(DLEqProof { c: read_scalar(r)?, s: read_scalar(r)? })`
			`}`
			`}`