ff 0.13 (#269)

* Partial move to ff 0.13

It turns out the newly released k256 0.12 isn't on ff 0.13, preventing further
work at this time.

* Update all crates to work on ff 0.13

The provided curves still need to be expanded to fit the new API.

* Finish adding dalek-ff-group ff 0.13 constants

* Correct FieldElement::product definition

Also stops exporting macros.

* Test most new parts of ff 0.13

* Additionally test ff-group-tests with BLS12-381 and the pasta curves

We only tested curves from RustCrypto. Now we test a curve offered by zk-crypto,
the group behind ff/group, and the pasta curves, which is by Zcash (though
Zcash developers are also behind zk-crypto).

* Finish Ed448

Fully specifies all constants, passes all tests in ff-group-tests, and finishes moving to ff-0.13.

* Add RustCrypto/elliptic-curves to allowed git repos

Needed due to k256/p256 incorrectly defining product.

* Finish writing ff 0.13 tests

* Add additional comments to dalek

* Further comments

* Update ethereum-serai to ff 0.13

coins/bitcoin/Cargo.toml

@@ -19,7 +19,7 @@ sha2 = "0.10"
 secp256k1 = { version = "0.24", features = ["global-context"] }
 bitcoin = { version = "0.29", features = ["serde"] }
 
-k256 = { version = "0.12", features = ["arithmetic"] }
+k256 = { version = "0.13", features = ["arithmetic"] }
 transcript = { package = "flexible-transcript", path = "../../crypto/transcript", version = "0.3", features = ["recommended"] }
 frost = { package = "modular-frost", path = "../../crypto/frost", version = "0.7", features = ["secp256k1"] }
 

coins/bitcoin/src/crypto.rs

@@ -71,7 +71,7 @@ impl HramTrait<Secp256k1> for Hram {
     data.update(x(A));
     data.update(m);
 
-    Scalar::from_uint_reduced(U256::from_be_slice(&data.finalize()))
+    Scalar::reduce(U256::from_be_slice(&data.finalize()))
   }
 }
 

coins/ethereum/Cargo.toml

@@ -22,8 +22,8 @@ serde = "1"
 sha2 = "0.10"
 sha3 = "0.10"
 
-group = "0.12"
-k256 = { version = "0.12", features = ["arithmetic", "ecdsa"] }
+group = "0.13"
+k256 = { version = "0.13", features = ["arithmetic", "ecdsa"] }
 frost = { package = "modular-frost", path = "../../crypto/frost", features = ["secp256k1", "tests"] }
 
 eyre = "0.6"

coins/ethereum/src/crypto.rs

@@ -2,7 +2,9 @@ use sha3::{Digest, Keccak256};
 
 use group::Group;
 use k256::{
-  elliptic_curve::{bigint::ArrayEncoding, ops::Reduce, sec1::ToEncodedPoint, DecompressPoint},
+  elliptic_curve::{
+    bigint::ArrayEncoding, ops::Reduce, point::DecompressPoint, sec1::ToEncodedPoint,
+  },
   AffinePoint, ProjectivePoint, Scalar, U256,
 };
 
@@ -13,7 +15,7 @@ pub fn keccak256(data: &[u8]) -> [u8; 32] {
 }
 
 pub fn hash_to_scalar(data: &[u8]) -> Scalar {
-  Scalar::from_uint_reduced(U256::from_be_slice(&keccak256(data)))
+  Scalar::reduce(U256::from_be_slice(&keccak256(data)))
 }
 
 pub fn address(point: &ProjectivePoint) -> [u8; 20] {
@@ -56,7 +58,7 @@ impl Hram<Secp256k1> for EthereumHram {
     let mut data = address(R).to_vec();
     data.append(&mut a_encoded);
     data.append(&mut m.to_vec());
-    Scalar::from_uint_reduced(U256::from_be_slice(&keccak256(&data)))
+    Scalar::reduce(U256::from_be_slice(&keccak256(&data)))
   }
 }
 
@@ -92,7 +94,7 @@ pub fn process_signature_for_contract(
 ) -> ProcessedSignature {
   let encoded_pk = A.to_encoded_point(true);
   let px = &encoded_pk.as_ref()[1 .. 33];
-  let px_scalar = Scalar::from_uint_reduced(U256::from_be_slice(px));
+  let px_scalar = Scalar::reduce(U256::from_be_slice(px));
   let e = EthereumHram::hram(R, A, &[chain_id.to_be_byte_array().as_slice(), &m].concat());
   ProcessedSignature {
     s,

coins/ethereum/tests/crypto.rs

@@ -19,7 +19,7 @@ fn test_ecrecover() {
   const MESSAGE: &[u8] = b"Hello, World!";
   let (sig, recovery_id) = private
     .as_nonzero_scalar()
-    .try_sign_prehashed_rfc6979::<Sha256>(Keccak256::digest(MESSAGE), b"")
+    .try_sign_prehashed_rfc6979::<Sha256>(&Keccak256::digest(MESSAGE), b"")
     .unwrap();
   #[allow(clippy::unit_cmp)] // Intended to assert this wasn't changed to Result<bool>
   {
@@ -68,7 +68,7 @@ fn test_ecrecover_hack() {
   let group_key = keys[&Participant::new(1).unwrap()].group_key();
   let group_key_encoded = group_key.to_encoded_point(true);
   let group_key_compressed = group_key_encoded.as_ref();
-  let group_key_x = Scalar::from_uint_reduced(U256::from_be_slice(&group_key_compressed[1 .. 33]));
+  let group_key_x = Scalar::reduce(U256::from_be_slice(&group_key_compressed[1 .. 33]));
 
   const MESSAGE: &[u8] = b"Hello, World!";
   let hashed_message = keccak256(MESSAGE);

coins/monero/Cargo.toml

@@ -30,7 +30,7 @@ sha3 = "0.10"
 
 curve25519-dalek = { version = "^3.2", features = ["std"] }
 
-group = "0.12"
+group = "0.13"
 dalek-ff-group = { path = "../../crypto/dalek-ff-group", version = "0.3" }
 multiexp = { path = "../../crypto/multiexp", version = "0.3", features = ["batch"] }
 

coins/monero/generators/Cargo.toml

@@ -20,5 +20,5 @@ sha3 = "0.10"
 
 curve25519-dalek = { version = "3", features = ["std"] }
 
-group = "0.12"
+group = "0.13"
 dalek-ff-group = { path = "../../../crypto/dalek-ff-group", version = "0.3" }

coins/monero/generators/src/hash_to_point.rs

@@ -13,7 +13,7 @@ pub fn hash_to_point(bytes: [u8; 32]) -> EdwardsPoint {
   let A = FieldElement::from(486662u64);
 
   let v = FieldElement::from_square(hash(&bytes)).double();
-  let w = v + FieldElement::one();
+  let w = v + FieldElement::ONE;
   let x = w.square() + (-A.square() * v);
 
   // This isn't the complete X, yet its initial value

coins/monero/src/ringct/bulletproofs/core.rs

@@ -80,8 +80,8 @@ pub(crate) fn bit_decompose(commitments: &[Commitment]) -> (ScalarVector, Scalar
       if j < sv.len() {
         bit = Choice::from((sv[j][i / 8] >> (i % 8)) & 1);
       }
-      aL.0[(j * N) + i] = Scalar::conditional_select(&Scalar::zero(), &Scalar::one(), bit);
-      aR.0[(j * N) + i] = Scalar::conditional_select(&-Scalar::one(), &Scalar::zero(), bit);
+      aL.0[(j * N) + i] = Scalar::conditional_select(&Scalar::ZERO, &Scalar::ONE, bit);
+      aR.0[(j * N) + i] = Scalar::conditional_select(&-Scalar::ONE, &Scalar::ZERO, bit);
     }
   }
 
@@ -129,7 +129,7 @@ lazy_static! {
 }
 
 pub(crate) fn challenge_products(w: &[Scalar], winv: &[Scalar]) -> Vec<Scalar> {
-  let mut products = vec![Scalar::zero(); 1 << w.len()];
+  let mut products = vec![Scalar::ZERO; 1 << w.len()];
   products[0] = winv[0];
   products[1] = w[0];
   for j in 1 .. w.len() {

coins/monero/src/ringct/bulletproofs/original.rs

@@ -15,7 +15,7 @@ use crate::{Commitment, ringct::bulletproofs::core::*};
 include!(concat!(env!("OUT_DIR"), "/generators.rs"));
 
 lazy_static! {
-  static ref ONE_N: ScalarVector = ScalarVector(vec![Scalar::one(); N]);
+  static ref ONE_N: ScalarVector = ScalarVector(vec![Scalar::ONE; N]);
   static ref IP12: Scalar = inner_product(&ONE_N, &TWO_N);
 }
 
@@ -250,7 +250,7 @@ impl OriginalStruct {
     proof.push((z3, *H));
     proof.push((-Scalar(self.mu), G));
 
-    proof.push((Scalar::one(), A));
+    proof.push((Scalar::ONE, A));
     proof.push((x, S));
 
     {

coins/monero/src/ringct/bulletproofs/plus.rs

@@ -31,7 +31,7 @@ fn hash_plus<C: IntoIterator<Item = DalekPoint>>(commitments: C) -> (Scalar, Vec
 // d[j*N+i] = z**(2*(j+1)) * 2**i
 fn d(z: Scalar, M: usize, MN: usize) -> (ScalarVector, ScalarVector) {
   let zpow = ScalarVector::even_powers(z, 2 * M);
-  let mut d = vec![Scalar::zero(); MN];
+  let mut d = vec![Scalar::ZERO; MN];
   for j in 0 .. M {
     for i in 0 .. N {
       d[(j * N) + i] = zpow[j] * TWO_N[i];
@@ -239,7 +239,7 @@ impl PlusStruct {
     // Invert B, instead of the Scalar, as the latter is only 2x as expensive yet enables reduction
     // to a single addition under vartime for the first BP verified in the batch, which is expected
     // to be much more significant
-    proof.push((Scalar::one(), -B));
+    proof.push((Scalar::ONE, -B));
     proof.push((-e, A1));
     proof.push((minus_esq, A));
     proof.push((Scalar(self.d1), G));

coins/monero/src/ringct/bulletproofs/scalar_vector.rs

@@ -48,14 +48,14 @@ math_op!(Mul, mul, |(a, b): (&Scalar, &Scalar)| *a * *b);
 
 impl ScalarVector {
   pub(crate) fn new(len: usize) -> ScalarVector {
-    ScalarVector(vec![Scalar::zero(); len])
+    ScalarVector(vec![Scalar::ZERO; len])
   }
 
   pub(crate) fn powers(x: Scalar, len: usize) -> ScalarVector {
     debug_assert!(len != 0);
 
     let mut res = Vec::with_capacity(len);
-    res.push(Scalar::one());
+    res.push(Scalar::ONE);
     for i in 1 .. len {
       res.push(res[i - 1] * x);
     }

coins/monero/src/ringct/clsag/multisig.rs

@@ -304,7 +304,7 @@ impl Algorithm<Ed25519> for ClsagMultisig {
     Ok(vec![
       (share, dfg::EdwardsPoint::generator()),
       (dfg::Scalar(interim.p), verification_share),
-      (-dfg::Scalar::one(), nonces[0][0]),
+      (-dfg::Scalar::ONE, nonces[0][0]),
     ])
   }
 }

coins/monero/src/wallet/send/multisig.rs

@@ -148,7 +148,7 @@ impl SignableTransaction {
       let clsag = ClsagMultisig::new(transcript.clone(), input.key(), inputs[i].clone());
       key_images.push((
         clsag.H,
-        keys.current_offset().unwrap_or_else(dfg::Scalar::zero).0 + self.inputs[i].key_offset(),
+        keys.current_offset().unwrap_or(dfg::Scalar::ZERO).0 + self.inputs[i].key_offset(),
       ));
       clsags.push(AlgorithmMachine::new(clsag, offset));
     }