Create a dedicated crate for the DKG (#141)

* Add dkg crate

* Remove F_len and G_len

They're generally no longer used.

* Replace hash_to_vec with a provided method around associated type H: Digest

Part of trying to minimize this trait so it can be moved elsewhere. Vec, 
which isn't std, may have been a blocker.

* Encrypt secret shares within the FROST library

Reduces requirements on callers in order to be correct.

* Update usage of Zeroize within FROST

* Inline functions in key_gen

There was no reason to have them separated as they were. sign probably 
has the same statement available, yet that isn't the focus right now.

* Add a ciphersuite package which provides hash_to_F

* Set the Ciphersuite version to something valid

* Have ed448 export Scalar/FieldElement/Point at the top level

* Move FROST over to Ciphersuite

* Correct usage of ff in ciphersuite

* Correct documentation handling

* Move Schnorr signatures to their own crate

* Remove unused feature from schnorr

* Fix Schnorr tests

* Split DKG into a separate crate

* Add serialize to Commitments and SecretShare

Helper for buf = vec![]; .write(buf).unwrap(); buf

* Move FROST over to the new dkg crate

* Update Monero lib to latest FROST

* Correct ethereum's usage of features

* Add serialize to GeneratorProof

* Add serialize helper function to FROST

* Rename AddendumSerialize to WriteAddendum

* Update processor

* Slight fix to processor

crypto/ciphersuite/Cargo.toml

@@ -0,0 +1,49 @@
+[package]
+name = "ciphersuite"
+version = "0.1.1"
+description = "Ciphersuites built around ff/group"
+license = "MIT"
+repository = "https://github.com/serai-dex/serai/tree/develop/crypto/ciphersuite"
+authors = ["Luke Parker <lukeparker5132@gmail.com>"]
+keywords = ["ciphersuite", "ff", "group"]
+edition = "2021"
+
+[package.metadata.docs.rs]
+all-features = true
+rustdoc-args = ["--cfg", "docsrs"]
+
+[dependencies]
+rand_core = "0.6"
+
+zeroize = { version = "1.5", features = ["zeroize_derive"] }
+subtle = "2"
+
+digest = "0.10"
+sha2 = { version = "0.10", optional = true }
+sha3 = { version = "0.10", optional = true }
+
+ff = { version = "0.12", features = ["bits"] }
+group = "0.12"
+
+dalek-ff-group = { path = "../dalek-ff-group", version = "^0.1.2", optional = true }
+
+elliptic-curve = { version = "0.12", features = ["hash2curve"], optional = true }
+p256 = { version = "0.11", features = ["arithmetic", "bits", "hash2curve"], optional = true }
+k256 = { version = "0.11", features = ["arithmetic", "bits", "hash2curve"], optional = true }
+
+minimal-ed448 = { path = "../ed448", version = "0.1", optional = true }
+
+[features]
+std = []
+
+dalek = ["sha2", "dalek-ff-group"]
+ed25519 = ["dalek"]
+ristretto = ["dalek"]
+
+kp256 = ["sha2", "elliptic-curve"]
+p256 = ["kp256", "dep:p256"]
+secp256k1 = ["kp256", "k256"]
+
+ed448 = ["sha3", "minimal-ed448"]
+
+default = ["std"]

crypto/ciphersuite/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021-2022 Luke Parker
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

crypto/ciphersuite/README.md

@@ -0,0 +1,3 @@
+# Ciphersuite
+
+Ciphersuites for elliptic curves premised on ff/group.

crypto/ciphersuite/src/dalek.rs

@@ -0,0 +1,44 @@
+use zeroize::Zeroize;
+
+use sha2::{Digest, Sha512};
+
+use group::Group;
+use dalek_ff_group::Scalar;
+
+use crate::Ciphersuite;
+
+macro_rules! dalek_curve {
+  (
+    $feature: literal,
+
+    $Ciphersuite: ident,
+    $Point:       ident,
+    $ID:          literal
+  ) => {
+    use dalek_ff_group::$Point;
+
+    #[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
+    pub struct $Ciphersuite;
+    impl Ciphersuite for $Ciphersuite {
+      type F = Scalar;
+      type G = $Point;
+      type H = Sha512;
+
+      const ID: &'static [u8] = $ID;
+
+      fn generator() -> Self::G {
+        $Point::generator()
+      }
+
+      fn hash_to_F(dst: &[u8], data: &[u8]) -> Self::F {
+        Scalar::from_hash(Sha512::new_with_prefix(&[dst, data].concat()))
+      }
+    }
+  };
+}
+
+#[cfg(any(test, feature = "ristretto"))]
+dalek_curve!("ristretto", Ristretto, RistrettoPoint, b"ristretto");
+
+#[cfg(feature = "ed25519")]
+dalek_curve!("ed25519", Ed25519, EdwardsPoint, b"edwards25519");

crypto/ciphersuite/src/ed448.rs

@@ -0,0 +1,67 @@
+use zeroize::Zeroize;
+
+use digest::{
+  typenum::U114, core_api::BlockSizeUser, Update, Output, OutputSizeUser, FixedOutput,
+  ExtendableOutput, XofReader, HashMarker, Digest,
+};
+use sha3::Shake256;
+
+use group::Group;
+use minimal_ed448::{scalar::Scalar, point::Point};
+
+use crate::Ciphersuite;
+
+// Re-define Shake256 as a traditional Digest to meet API expectations
+#[derive(Clone, Default)]
+pub struct Shake256_114(Shake256);
+impl BlockSizeUser for Shake256_114 {
+  type BlockSize = <Shake256 as BlockSizeUser>::BlockSize;
+  fn block_size() -> usize {
+    Shake256::block_size()
+  }
+}
+impl OutputSizeUser for Shake256_114 {
+  type OutputSize = U114;
+  fn output_size() -> usize {
+    114
+  }
+}
+impl Update for Shake256_114 {
+  fn update(&mut self, data: &[u8]) {
+    self.0.update(data);
+  }
+  fn chain(mut self, data: impl AsRef<[u8]>) -> Self {
+    Update::update(&mut self, data.as_ref());
+    self
+  }
+}
+impl FixedOutput for Shake256_114 {
+  fn finalize_fixed(self) -> Output<Self> {
+    let mut res = Default::default();
+    FixedOutput::finalize_into(self, &mut res);
+    res
+  }
+  fn finalize_into(self, out: &mut Output<Self>) {
+    let mut reader = self.0.finalize_xof();
+    reader.read(out);
+  }
+}
+impl HashMarker for Shake256_114 {}
+
+#[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
+pub struct Ed448;
+impl Ciphersuite for Ed448 {
+  type F = Scalar;
+  type G = Point;
+  type H = Shake256_114;
+
+  const ID: &'static [u8] = b"ed448";
+
+  fn generator() -> Self::G {
+    Point::generator()
+  }
+
+  fn hash_to_F(dst: &[u8], data: &[u8]) -> Self::F {
+    Scalar::wide_reduce(Self::H::digest(&[dst, data].concat()).as_ref().try_into().unwrap())
+  }
+}

crypto/ciphersuite/src/kp256.rs

@@ -0,0 +1,72 @@
+use zeroize::Zeroize;
+
+use sha2::{Digest, Sha256};
+
+use group::ff::{Field, PrimeField};
+
+use elliptic_curve::{
+  generic_array::GenericArray,
+  bigint::{Encoding, U384},
+  hash2curve::{Expander, ExpandMsg, ExpandMsgXmd},
+};
+
+use crate::Ciphersuite;
+
+macro_rules! kp_curve {
+  (
+    $feature: literal,
+    $lib:     ident,
+
+    $Ciphersuite: ident,
+    $ID:          literal
+  ) => {
+    #[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
+    pub struct $Ciphersuite;
+    impl Ciphersuite for $Ciphersuite {
+      type F = $lib::Scalar;
+      type G = $lib::ProjectivePoint;
+      type H = Sha256;
+
+      const ID: &'static [u8] = $ID;
+
+      fn generator() -> Self::G {
+        $lib::ProjectivePoint::GENERATOR
+      }
+
+      fn hash_to_F(dst: &[u8], msg: &[u8]) -> Self::F {
+        let mut dst = dst;
+        let oversize = Sha256::digest([b"H2C-OVERSIZE-DST-".as_ref(), dst].concat());
+        if dst.len() > 255 {
+          dst = oversize.as_ref();
+        }
+
+        // While one of these two libraries does support directly hashing to the Scalar field, the
+        // other doesn't. While that's probably an oversight, this is a universally working method
+        let mut modulus = [0; 48];
+        modulus[16 ..].copy_from_slice(&(Self::F::zero() - Self::F::one()).to_bytes());
+        let modulus = U384::from_be_slice(&modulus).wrapping_add(&U384::ONE);
+
+        let mut unreduced = U384::from_be_bytes({
+          let mut bytes = [0; 48];
+          ExpandMsgXmd::<Sha256>::expand_message(&[msg], dst, 48).unwrap().fill_bytes(&mut bytes);
+          bytes
+        })
+        .reduce(&modulus)
+        .unwrap()
+        .to_be_bytes();
+
+        let mut array = *GenericArray::from_slice(&unreduced[16 ..]);
+        let res = $lib::Scalar::from_repr(array).unwrap();
+        unreduced.zeroize();
+        array.zeroize();
+        res
+      }
+    }
+  };
+}
+
+#[cfg(feature = "p256")]
+kp_curve!("p256", p256, P256, b"P-256");
+
+#[cfg(feature = "secp256k1")]
+kp_curve!("secp256k1", k256, Secp256k1, b"secp256k1");

crypto/ciphersuite/src/lib.rs

@@ -0,0 +1,106 @@
+#![cfg_attr(docsrs, feature(doc_cfg))]
+#![cfg_attr(docsrs, feature(doc_auto_cfg))]
+#![cfg_attr(not(feature = "std"), no_std)]
+
+use core::fmt::Debug;
+#[cfg(feature = "std")]
+use std::io::{self, Read};
+
+use rand_core::{RngCore, CryptoRng};
+
+use zeroize::Zeroize;
+use subtle::ConstantTimeEq;
+
+use digest::{core_api::BlockSizeUser, Digest};
+
+use group::{
+  ff::{Field, PrimeField, PrimeFieldBits},
+  Group, GroupOps,
+  prime::PrimeGroup,
+};
+#[cfg(feature = "std")]
+use group::GroupEncoding;
+
+#[cfg(feature = "dalek")]
+mod dalek;
+#[cfg(feature = "ristretto")]
+pub use dalek::Ristretto;
+#[cfg(feature = "ed25519")]
+pub use dalek::Ed25519;
+
+#[cfg(feature = "kp256")]
+mod kp256;
+#[cfg(feature = "secp256k1")]
+pub use kp256::Secp256k1;
+#[cfg(feature = "p256")]
+pub use kp256::P256;
+
+#[cfg(feature = "ed448")]
+mod ed448;
+#[cfg(feature = "ed448")]
+pub use ed448::*;
+
+/// Unified trait defining a ciphersuite around an elliptic curve.
+pub trait Ciphersuite: Clone + Copy + PartialEq + Eq + Debug + Zeroize {
+  /// Scalar field element type.
+  // This is available via G::Scalar yet `C::G::Scalar` is ambiguous, forcing horrific accesses
+  type F: PrimeField + PrimeFieldBits + Zeroize;
+  /// Group element type.
+  type G: Group<Scalar = Self::F> + GroupOps + PrimeGroup + Zeroize + ConstantTimeEq;
+  /// Hash algorithm used with this curve.
+  // Requires BlockSizeUser so it can be used within Hkdf which requies that.
+  type H: Clone + BlockSizeUser + Digest;
+
+  /// ID for this curve.
+  const ID: &'static [u8];
+
+  /// Generator for the group.
+  // While group does provide this in its API, privacy coins may want to use a custom basepoint
+  fn generator() -> Self::G;
+
+  /// Hash the provided dst and message to a scalar.
+  #[allow(non_snake_case)]
+  fn hash_to_F(dst: &[u8], msg: &[u8]) -> Self::F;
+
+  /// Generate a random non-zero scalar.
+  #[allow(non_snake_case)]
+  fn random_nonzero_F<R: RngCore + CryptoRng>(rng: &mut R) -> Self::F {
+    let mut res;
+    while {
+      res = Self::F::random(&mut *rng);
+      res.ct_eq(&Self::F::zero()).into()
+    } {}
+    res
+  }
+
+  /// Read a canonical scalar from something implementing std::io::Read.
+  #[cfg(feature = "std")]
+  #[allow(non_snake_case)]
+  fn read_F<R: Read>(reader: &mut R) -> io::Result<Self::F> {
+    let mut encoding = <Self::F as PrimeField>::Repr::default();
+    reader.read_exact(encoding.as_mut())?;
+
+    // ff mandates this is canonical
+    let res = Option::<Self::F>::from(Self::F::from_repr(encoding))
+      .ok_or_else(|| io::Error::new(io::ErrorKind::Other, "non-canonical scalar"));
+    for b in encoding.as_mut() {
+      b.zeroize();
+    }
+    res
+  }
+
+  /// Read a canonical point from something implementing std::io::Read.
+  #[cfg(feature = "std")]
+  #[allow(non_snake_case)]
+  fn read_G<R: Read>(reader: &mut R) -> io::Result<Self::G> {
+    let mut encoding = <Self::G as GroupEncoding>::Repr::default();
+    reader.read_exact(encoding.as_mut())?;
+
+    let point = Option::<Self::G>::from(Self::G::from_bytes(&encoding))
+      .ok_or_else(|| io::Error::new(io::ErrorKind::Other, "invalid point"))?;
+    if point.to_bytes().as_ref() != encoding.as_ref() {
+      Err(io::Error::new(io::ErrorKind::Other, "non-canonical point"))?;
+    }
+    Ok(point)
+  }
+}