crypto/frost/src/schnorr.rs

use rand_core::{RngCore, CryptoRng};

use group::{ff::{Field, PrimeField}, GroupEncoding};

use multiexp::BatchVerifier;

use crate::{Curve, F_len, G_len};

#[allow(non_snake_case)]
#[derive(Clone, Copy, PartialEq, Eq, Debug)]
pub struct SchnorrSignature<C: Curve> {
  pub R: C::G,
  pub s: C::F,
}

impl<C: Curve> SchnorrSignature<C> {
  pub fn serialize(&self) -> Vec<u8> {
    let mut res = Vec::with_capacity(G_len::<C>() + F_len::<C>());
    res.extend(self.R.to_bytes().as_ref());
    res.extend(self.s.to_repr().as_ref());
    res
  }
}

pub(crate) fn sign<C: Curve>(
  private_key: C::F,
  nonce: C::F,
  challenge: C::F
) -> SchnorrSignature<C> {
  SchnorrSignature {
    R: C::GENERATOR * nonce,
    s: nonce + (private_key * challenge)
  }
}

pub(crate) fn verify<C: Curve>(
  public_key: C::G,
  challenge: C::F,
  signature: &SchnorrSignature<C>
) -> bool {
  (C::GENERATOR * signature.s) == (signature.R + (public_key * challenge))
}

pub(crate) fn batch_verify<C: Curve, R: RngCore + CryptoRng>(
  rng: &mut R,
  triplets: &[(u16, C::G, C::F, SchnorrSignature<C>)]
) -> Result<(), u16> {
  let mut values = [(C::F::one(), C::GENERATOR); 3];
  let mut batch = BatchVerifier::new(triplets.len());
  for triple in triplets {
    // s = r + ca
    // sG == R + cA
    // R + cA - sG == 0

    // R
    values[0].1 = triple.3.R;
    // cA
    values[1] = (triple.2, triple.1);
    // -sG
    values[2].0 = -triple.3.s;

    batch.queue(rng, triple.0, values);
  }

  batch.verify_vartime_with_vartime_blame()
}
Consolidate Schnorr code in FROST 2022-05-25 00:22:00 -04:00			`use rand_core::{RngCore, CryptoRng};`

Use GroupEncoding instead of Curve's from_slice/to_bytes Increases usage of standardization while expanding dalek_ff_group. Closes https://github.com/serai-dex/serai/issues/26 by moving dfg::EdwardsPoint to only be for the prime subgroup. 2022-06-28 01:25:26 -04:00			`use group::{ff::{Field, PrimeField}, GroupEncoding};`
Consolidate Schnorr code in FROST 2022-05-25 00:22:00 -04:00
Add a batch verifier to multiexp, along with constant time variants Saves ~8% during FROST key gen, even with dropping a vartime for a constant time (as needed to be secure), as the new batch verifier is used where batch verification previously wasn't. The new multiexp API itself also offered a very slight performance boost, which may solely be a measurement error. Handles most of https://github.com/serai-dex/serai/issues/10. The blame function isn't binary searched nor randomly sorted yet. 2022-05-27 00:52:44 -04:00			`use multiexp::BatchVerifier;`

Remove C::F_len, C::G_len for F_len<C> and G_len<C> Relies on the ff/group API, instead of the custom Curve type. Also removes GENERATOR_TABLE, only used by dalek, as we should provide our own API for that over ff/group instead. This slows down the FROST tests, under debug, by about 0.2-0.3s. Ed25519 and Ristretto together take ~2.15 seconds now. 2022-06-30 18:46:18 -04:00			`use crate::{Curve, F_len, G_len};`
Consolidate Schnorr code in FROST 2022-05-25 00:22:00 -04:00
			`#[allow(non_snake_case)]`
			`#[derive(Clone, Copy, PartialEq, Eq, Debug)]`
			`pub struct SchnorrSignature<C: Curve> {`
			`pub R: C::G,`
			`pub s: C::F,`
			`}`

			`impl<C: Curve> SchnorrSignature<C> {`
			`pub fn serialize(&self) -> Vec<u8> {`
Remove C::F_len, C::G_len for F_len<C> and G_len<C> Relies on the ff/group API, instead of the custom Curve type. Also removes GENERATOR_TABLE, only used by dalek, as we should provide our own API for that over ff/group instead. This slows down the FROST tests, under debug, by about 0.2-0.3s. Ed25519 and Ristretto together take ~2.15 seconds now. 2022-06-30 18:46:18 -04:00			`let mut res = Vec::with_capacity(G_len::<C>() + F_len::<C>());`
Use GroupEncoding instead of Curve's from_slice/to_bytes Increases usage of standardization while expanding dalek_ff_group. Closes https://github.com/serai-dex/serai/issues/26 by moving dfg::EdwardsPoint to only be for the prime subgroup. 2022-06-28 01:25:26 -04:00			`res.extend(self.R.to_bytes().as_ref());`
			`res.extend(self.s.to_repr().as_ref());`
Consolidate Schnorr code in FROST 2022-05-25 00:22:00 -04:00			`res`
			`}`
			`}`

			`pub(crate) fn sign<C: Curve>(`
			`private_key: C::F,`
			`nonce: C::F,`
			`challenge: C::F`
			`) -> SchnorrSignature<C> {`
			`SchnorrSignature {`
Remove C::F_len, C::G_len for F_len<C> and G_len<C> Relies on the ff/group API, instead of the custom Curve type. Also removes GENERATOR_TABLE, only used by dalek, as we should provide our own API for that over ff/group instead. This slows down the FROST tests, under debug, by about 0.2-0.3s. Ed25519 and Ristretto together take ~2.15 seconds now. 2022-06-30 18:46:18 -04:00			`R: C::GENERATOR * nonce,`
Consolidate Schnorr code in FROST 2022-05-25 00:22:00 -04:00			`s: nonce + (private_key * challenge)`
			`}`
			`}`

			`pub(crate) fn verify<C: Curve>(`
			`public_key: C::G,`
			`challenge: C::F,`
			`signature: &SchnorrSignature<C>`
			`) -> bool {`
Remove C::F_len, C::G_len for F_len<C> and G_len<C> Relies on the ff/group API, instead of the custom Curve type. Also removes GENERATOR_TABLE, only used by dalek, as we should provide our own API for that over ff/group instead. This slows down the FROST tests, under debug, by about 0.2-0.3s. Ed25519 and Ristretto together take ~2.15 seconds now. 2022-06-30 18:46:18 -04:00			`(C::GENERATOR * signature.s) == (signature.R + (public_key * challenge))`
Consolidate Schnorr code in FROST 2022-05-25 00:22:00 -04:00			`}`

			`pub(crate) fn batch_verify<C: Curve, R: RngCore + CryptoRng>(`
			`rng: &mut R,`
			`triplets: &[(u16, C::G, C::F, SchnorrSignature<C>)]`
			`) -> Result<(), u16> {`
Use const values for our traits where we can 2022-06-03 23:22:08 -04:00			`let mut values = [(C::F::one(), C::GENERATOR); 3];`
Implement variable-sized windows into multiexp Closes https://github.com/serai-dex/serai/issues/17 by using the PrimeFieldBits API to do so. Should greatly speed up small batches, along with batches in the hundreds. Saves almost a full second on the cross-group DLEq proof. 2022-06-30 09:30:24 -04:00			`let mut batch = BatchVerifier::new(triplets.len());`
Consolidate Schnorr code in FROST 2022-05-25 00:22:00 -04:00			`for triple in triplets {`
Implement a binary search for BatchVerifier blame Adds helper functions to verify and, on failure, blame, which move an unwrap from callers into multiexp where it's guaranteed to be safe and easily verified to be proper. Closes https://github.com/serai-dex/serai/issues/10. 2022-05-27 02:01:01 -04:00			`// s = r + ca`
			`// sG == R + cA`
			`// R + cA - sG == 0`

Add a batch verifier to multiexp, along with constant time variants Saves ~8% during FROST key gen, even with dropping a vartime for a constant time (as needed to be secure), as the new batch verifier is used where batch verification previously wasn't. The new multiexp API itself also offered a very slight performance boost, which may solely be a measurement error. Handles most of https://github.com/serai-dex/serai/issues/10. The blame function isn't binary searched nor randomly sorted yet. 2022-05-27 00:52:44 -04:00			`// R`
			`values[0].1 = triple.3.R;`
			`// cA`
			`values[1] = (triple.2, triple.1);`
			`// -sG`
			`values[2].0 = -triple.3.s;`
Consolidate Schnorr code in FROST 2022-05-25 00:22:00 -04:00
Add a batch verifier to multiexp, along with constant time variants Saves ~8% during FROST key gen, even with dropping a vartime for a constant time (as needed to be secure), as the new batch verifier is used where batch verification previously wasn't. The new multiexp API itself also offered a very slight performance boost, which may solely be a measurement error. Handles most of https://github.com/serai-dex/serai/issues/10. The blame function isn't binary searched nor randomly sorted yet. 2022-05-27 00:52:44 -04:00			`batch.queue(rng, triple.0, values);`
Consolidate Schnorr code in FROST 2022-05-25 00:22:00 -04:00			`}`

Implement a binary search for BatchVerifier blame Adds helper functions to verify and, on failure, blame, which move an unwrap from callers into multiexp where it's guaranteed to be safe and easily verified to be proper. Closes https://github.com/serai-dex/serai/issues/10. 2022-05-27 02:01:01 -04:00			`batch.verify_vartime_with_vartime_blame()`
Consolidate Schnorr code in FROST 2022-05-25 00:22:00 -04:00			`}`