Create a dedicated crate for the DKG (#141)

* Add dkg crate * Remove F_len and G_len They're generally no longer used. * Replace hash_to_vec with a provided method around associated type H: Digest Part of trying to minimize this trait so it can be moved elsewhere. Vec, which isn't std, may have been a blocker. * Encrypt secret shares within the FROST library Reduces requirements on callers in order to be correct. * Update usage of Zeroize within FROST * Inline functions in key_gen There was no reason to have them separated as they were. sign probably has the same statement available, yet that isn't the focus right now. * Add a ciphersuite package which provides hash_to_F * Set the Ciphersuite version to something valid * Have ed448 export Scalar/FieldElement/Point at the top level * Move FROST over to Ciphersuite * Correct usage of ff in ciphersuite * Correct documentation handling * Move Schnorr signatures to their own crate * Remove unused feature from schnorr * Fix Schnorr tests * Split DKG into a separate crate * Add serialize to Commitments and SecretShare Helper for buf = vec![]; .write(buf).unwrap(); buf * Move FROST over to the new dkg crate * Update Monero lib to latest FROST * Correct ethereum's usage of features * Add serialize to GeneratorProof * Add serialize helper function to FROST * Rename AddendumSerialize to WriteAddendum * Update processor * Slight fix to processor
2025-12-08 20:29:23 +00:00 · 2022-10-29 03:54:42 -05:00
parent cbceaff678
commit 2379855b31
50 changed files with 2076 additions and 1601 deletions
--- a/crypto/ciphersuite/src/dalek.rs
+++ b/crypto/ciphersuite/src/dalek.rs
@@ -0,0 +1,44 @@
+use zeroize::Zeroize;
+
+use sha2::{Digest, Sha512};
+
+use group::Group;
+use dalek_ff_group::Scalar;
+
+use crate::Ciphersuite;
+
+macro_rules! dalek_curve {
+  (
+    $feature: literal,
+
+    $Ciphersuite: ident,
+    $Point:       ident,
+    $ID:          literal
+  ) => {
+    use dalek_ff_group::$Point;
+
+    #[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
+    pub struct $Ciphersuite;
+    impl Ciphersuite for $Ciphersuite {
+      type F = Scalar;
+      type G = $Point;
+      type H = Sha512;
+
+      const ID: &'static [u8] = $ID;
+
+      fn generator() -> Self::G {
+        $Point::generator()
+      }
+
+      fn hash_to_F(dst: &[u8], data: &[u8]) -> Self::F {
+        Scalar::from_hash(Sha512::new_with_prefix(&[dst, data].concat()))
+      }
+    }
+  };
+}
+
+#[cfg(any(test, feature = "ristretto"))]
+dalek_curve!("ristretto", Ristretto, RistrettoPoint, b"ristretto");
+
+#[cfg(feature = "ed25519")]
+dalek_curve!("ed25519", Ed25519, EdwardsPoint, b"edwards25519");
--- a/crypto/ciphersuite/src/ed448.rs
+++ b/crypto/ciphersuite/src/ed448.rs
@@ -0,0 +1,67 @@
+use zeroize::Zeroize;
+
+use digest::{
+  typenum::U114, core_api::BlockSizeUser, Update, Output, OutputSizeUser, FixedOutput,
+  ExtendableOutput, XofReader, HashMarker, Digest,
+};
+use sha3::Shake256;
+
+use group::Group;
+use minimal_ed448::{scalar::Scalar, point::Point};
+
+use crate::Ciphersuite;
+
+// Re-define Shake256 as a traditional Digest to meet API expectations
+#[derive(Clone, Default)]
+pub struct Shake256_114(Shake256);
+impl BlockSizeUser for Shake256_114 {
+  type BlockSize = <Shake256 as BlockSizeUser>::BlockSize;
+  fn block_size() -> usize {
+    Shake256::block_size()
+  }
+}
+impl OutputSizeUser for Shake256_114 {
+  type OutputSize = U114;
+  fn output_size() -> usize {
+    114
+  }
+}
+impl Update for Shake256_114 {
+  fn update(&mut self, data: &[u8]) {
+    self.0.update(data);
+  }
+  fn chain(mut self, data: impl AsRef<[u8]>) -> Self {
+    Update::update(&mut self, data.as_ref());
+    self
+  }
+}
+impl FixedOutput for Shake256_114 {
+  fn finalize_fixed(self) -> Output<Self> {
+    let mut res = Default::default();
+    FixedOutput::finalize_into(self, &mut res);
+    res
+  }
+  fn finalize_into(self, out: &mut Output<Self>) {
+    let mut reader = self.0.finalize_xof();
+    reader.read(out);
+  }
+}
+impl HashMarker for Shake256_114 {}
+
+#[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
+pub struct Ed448;
+impl Ciphersuite for Ed448 {
+  type F = Scalar;
+  type G = Point;
+  type H = Shake256_114;
+
+  const ID: &'static [u8] = b"ed448";
+
+  fn generator() -> Self::G {
+    Point::generator()
+  }
+
+  fn hash_to_F(dst: &[u8], data: &[u8]) -> Self::F {
+    Scalar::wide_reduce(Self::H::digest(&[dst, data].concat()).as_ref().try_into().unwrap())
+  }
+}
--- a/crypto/ciphersuite/src/kp256.rs
+++ b/crypto/ciphersuite/src/kp256.rs
@@ -0,0 +1,72 @@
+use zeroize::Zeroize;
+
+use sha2::{Digest, Sha256};
+
+use group::ff::{Field, PrimeField};
+
+use elliptic_curve::{
+  generic_array::GenericArray,
+  bigint::{Encoding, U384},
+  hash2curve::{Expander, ExpandMsg, ExpandMsgXmd},
+};
+
+use crate::Ciphersuite;
+
+macro_rules! kp_curve {
+  (
+    $feature: literal,
+    $lib:     ident,
+
+    $Ciphersuite: ident,
+    $ID:          literal
+  ) => {
+    #[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
+    pub struct $Ciphersuite;
+    impl Ciphersuite for $Ciphersuite {
+      type F = $lib::Scalar;
+      type G = $lib::ProjectivePoint;
+      type H = Sha256;
+
+      const ID: &'static [u8] = $ID;
+
+      fn generator() -> Self::G {
+        $lib::ProjectivePoint::GENERATOR
+      }
+
+      fn hash_to_F(dst: &[u8], msg: &[u8]) -> Self::F {
+        let mut dst = dst;
+        let oversize = Sha256::digest([b"H2C-OVERSIZE-DST-".as_ref(), dst].concat());
+        if dst.len() > 255 {
+          dst = oversize.as_ref();
+        }
+
+        // While one of these two libraries does support directly hashing to the Scalar field, the
+        // other doesn't. While that's probably an oversight, this is a universally working method
+        let mut modulus = [0; 48];
+        modulus[16 ..].copy_from_slice(&(Self::F::zero() - Self::F::one()).to_bytes());
+        let modulus = U384::from_be_slice(&modulus).wrapping_add(&U384::ONE);
+
+        let mut unreduced = U384::from_be_bytes({
+          let mut bytes = [0; 48];
+          ExpandMsgXmd::<Sha256>::expand_message(&[msg], dst, 48).unwrap().fill_bytes(&mut bytes);
+          bytes
+        })
+        .reduce(&modulus)
+        .unwrap()
+        .to_be_bytes();
+
+        let mut array = *GenericArray::from_slice(&unreduced[16 ..]);
+        let res = $lib::Scalar::from_repr(array).unwrap();
+        unreduced.zeroize();
+        array.zeroize();
+        res
+      }
+    }
+  };
+}
+
+#[cfg(feature = "p256")]
+kp_curve!("p256", p256, P256, b"P-256");
+
+#[cfg(feature = "secp256k1")]
+kp_curve!("secp256k1", k256, Secp256k1, b"secp256k1");
--- a/crypto/ciphersuite/src/lib.rs
+++ b/crypto/ciphersuite/src/lib.rs
@@ -0,0 +1,106 @@
+#![cfg_attr(docsrs, feature(doc_cfg))]
+#![cfg_attr(docsrs, feature(doc_auto_cfg))]
+#![cfg_attr(not(feature = "std"), no_std)]
+
+use core::fmt::Debug;
+#[cfg(feature = "std")]
+use std::io::{self, Read};
+
+use rand_core::{RngCore, CryptoRng};
+
+use zeroize::Zeroize;
+use subtle::ConstantTimeEq;
+
+use digest::{core_api::BlockSizeUser, Digest};
+
+use group::{
+  ff::{Field, PrimeField, PrimeFieldBits},
+  Group, GroupOps,
+  prime::PrimeGroup,
+};
+#[cfg(feature = "std")]
+use group::GroupEncoding;
+
+#[cfg(feature = "dalek")]
+mod dalek;
+#[cfg(feature = "ristretto")]
+pub use dalek::Ristretto;
+#[cfg(feature = "ed25519")]
+pub use dalek::Ed25519;
+
+#[cfg(feature = "kp256")]
+mod kp256;
+#[cfg(feature = "secp256k1")]
+pub use kp256::Secp256k1;
+#[cfg(feature = "p256")]
+pub use kp256::P256;
+
+#[cfg(feature = "ed448")]
+mod ed448;
+#[cfg(feature = "ed448")]
+pub use ed448::*;
+
+/// Unified trait defining a ciphersuite around an elliptic curve.
+pub trait Ciphersuite: Clone + Copy + PartialEq + Eq + Debug + Zeroize {
+  /// Scalar field element type.
+  // This is available via G::Scalar yet `C::G::Scalar` is ambiguous, forcing horrific accesses
+  type F: PrimeField + PrimeFieldBits + Zeroize;
+  /// Group element type.
+  type G: Group<Scalar = Self::F> + GroupOps + PrimeGroup + Zeroize + ConstantTimeEq;
+  /// Hash algorithm used with this curve.
+  // Requires BlockSizeUser so it can be used within Hkdf which requies that.
+  type H: Clone + BlockSizeUser + Digest;
+
+  /// ID for this curve.
+  const ID: &'static [u8];
+
+  /// Generator for the group.
+  // While group does provide this in its API, privacy coins may want to use a custom basepoint
+  fn generator() -> Self::G;
+
+  /// Hash the provided dst and message to a scalar.
+  #[allow(non_snake_case)]
+  fn hash_to_F(dst: &[u8], msg: &[u8]) -> Self::F;
+
+  /// Generate a random non-zero scalar.
+  #[allow(non_snake_case)]
+  fn random_nonzero_F<R: RngCore + CryptoRng>(rng: &mut R) -> Self::F {
+    let mut res;
+    while {
+      res = Self::F::random(&mut *rng);
+      res.ct_eq(&Self::F::zero()).into()
+    } {}
+    res
+  }
+
+  /// Read a canonical scalar from something implementing std::io::Read.
+  #[cfg(feature = "std")]
+  #[allow(non_snake_case)]
+  fn read_F<R: Read>(reader: &mut R) -> io::Result<Self::F> {
+    let mut encoding = <Self::F as PrimeField>::Repr::default();
+    reader.read_exact(encoding.as_mut())?;
+
+    // ff mandates this is canonical
+    let res = Option::<Self::F>::from(Self::F::from_repr(encoding))
+      .ok_or_else(|| io::Error::new(io::ErrorKind::Other, "non-canonical scalar"));
+    for b in encoding.as_mut() {
+      b.zeroize();
+    }
+    res
+  }
+
+  /// Read a canonical point from something implementing std::io::Read.
+  #[cfg(feature = "std")]
+  #[allow(non_snake_case)]
+  fn read_G<R: Read>(reader: &mut R) -> io::Result<Self::G> {
+    let mut encoding = <Self::G as GroupEncoding>::Repr::default();
+    reader.read_exact(encoding.as_mut())?;
+
+    let point = Option::<Self::G>::from(Self::G::from_bytes(&encoding))
+      .ok_or_else(|| io::Error::new(io::ErrorKind::Other, "invalid point"))?;
+    if point.to_bytes().as_ref() != encoding.as_ref() {
+      Err(io::Error::new(io::ErrorKind::Other, "non-canonical point"))?;
+    }
+    Ok(point)
+  }
+}