ff 0.13 (#269)

* Partial move to ff 0.13

It turns out the newly released k256 0.12 isn't on ff 0.13, preventing further
work at this time.

* Update all crates to work on ff 0.13

The provided curves still need to be expanded to fit the new API.

* Finish adding dalek-ff-group ff 0.13 constants

* Correct FieldElement::product definition

Also stops exporting macros.

* Test most new parts of ff 0.13

* Additionally test ff-group-tests with BLS12-381 and the pasta curves

We only tested curves from RustCrypto. Now we test a curve offered by zk-crypto,
the group behind ff/group, and the pasta curves, which is by Zcash (though
Zcash developers are also behind zk-crypto).

* Finish Ed448

Fully specifies all constants, passes all tests in ff-group-tests, and finishes moving to ff-0.13.

* Add RustCrypto/elliptic-curves to allowed git repos

Needed due to k256/p256 incorrectly defining product.

* Finish writing ff 0.13 tests

* Add additional comments to dalek

* Further comments

* Update ethereum-serai to ff 0.13

crypto/ciphersuite/Cargo.toml

@@ -23,21 +23,21 @@ transcript = { package = "flexible-transcript", path = "../transcript", version
 sha2 = { version = "0.10", optional = true }
 sha3 = { version = "0.10", optional = true }
 
-ff = { version = "0.12", features = ["bits"] }
-group = "0.12"
+ff = { version = "0.13", features = ["bits"] }
+group = "0.13"
 
 dalek-ff-group = { path = "../dalek-ff-group", version = "0.3", optional = true }
 
-elliptic-curve = { version = "0.12", features = ["hash2curve"], optional = true }
-p256 = { version = "0.12", features = ["arithmetic", "bits", "hash2curve"], optional = true }
-k256 = { version = "0.12", features = ["arithmetic", "bits", "hash2curve"], optional = true }
+elliptic-curve = { version = "0.13", features = ["hash2curve"], optional = true }
+p256 = { version = "0.13", features = ["arithmetic", "bits", "hash2curve"], optional = true }
+k256 = { version = "0.13", features = ["arithmetic", "bits", "hash2curve"], optional = true }
 
 minimal-ed448 = { path = "../ed448", version = "0.3", optional = true }
 
 [dev-dependencies]
 hex = "0.4"
 
-ff-group-tests = { version = "0.12", path = "../ff-group-tests" }
+ff-group-tests = { version = "0.13", path = "../ff-group-tests" }
 
 [features]
 std = []

crypto/ciphersuite/src/kp256.rs

@@ -2,11 +2,11 @@ use zeroize::Zeroize;
 
 use sha2::Sha256;
 
-use group::ff::{Field, PrimeField};
+use group::ff::PrimeField;
 
 use elliptic_curve::{
   generic_array::GenericArray,
-  bigint::{CheckedAdd, Encoding, U384},
+  bigint::{NonZero, CheckedAdd, Encoding, U384},
   hash2curve::{Expander, ExpandMsg, ExpandMsgXmd},
 };
 
@@ -61,7 +61,7 @@ macro_rules! kp_curve {
         let mut modulus = [0; L];
         // The byte repr of scalars will be 32 big-endian bytes
         // Set the lower 32 bytes of our 48-byte array accordingly
-        modulus[16 ..].copy_from_slice(&(Self::F::zero() - Self::F::one()).to_bytes());
+        modulus[16 ..].copy_from_slice(&(Self::F::ZERO - Self::F::ONE).to_bytes());
         // Use a checked_add + unwrap since this addition cannot fail (being a 32-byte value with
         // 48-bytes of space)
         // While a non-panicking saturating_add/wrapping_add could be used, they'd likely be less
@@ -71,11 +71,12 @@ macro_rules! kp_curve {
         // The defined P-256 and secp256k1 ciphersuites both use expand_message_xmd
         let mut wide = U384::from_be_bytes({
           let mut bytes = [0; 48];
-          ExpandMsgXmd::<Sha256>::expand_message(&[msg], dst, 48).unwrap().fill_bytes(&mut bytes);
+          ExpandMsgXmd::<Sha256>::expand_message(&[msg], &[dst], 48)
+            .unwrap()
+            .fill_bytes(&mut bytes);
           bytes
         })
-        .reduce(&modulus)
-        .unwrap()
+        .rem(&NonZero::new(modulus).unwrap())
         .to_be_bytes();
 
         // Now that this has been reduced back to a 32-byte value, grab the lower 32-bytes

crypto/ciphersuite/src/lib.rs

@@ -79,7 +79,7 @@ pub trait Ciphersuite:
     let mut res;
     while {
       res = Self::F::random(&mut *rng);
-      res.ct_eq(&Self::F::zero()).into()
+      res.ct_eq(&Self::F::ZERO).into()
     } {}
     res
   }