ff 0.13 (#269)

* Partial move to ff 0.13

It turns out the newly released k256 0.12 isn't on ff 0.13, preventing further
work at this time.

* Update all crates to work on ff 0.13

The provided curves still need to be expanded to fit the new API.

* Finish adding dalek-ff-group ff 0.13 constants

* Correct FieldElement::product definition

Also stops exporting macros.

* Test most new parts of ff 0.13

* Additionally test ff-group-tests with BLS12-381 and the pasta curves

We only tested curves from RustCrypto. Now we test a curve offered by zk-crypto,
the group behind ff/group, and the pasta curves, which is by Zcash (though
Zcash developers are also behind zk-crypto).

* Finish Ed448

Fully specifies all constants, passes all tests in ff-group-tests, and finishes moving to ff-0.13.

* Add RustCrypto/elliptic-curves to allowed git repos

Needed due to k256/p256 incorrectly defining product.

* Finish writing ff 0.13 tests

* Add additional comments to dalek

* Further comments

* Update ethereum-serai to ff 0.13

crypto/dkg/src/encryption.rs

@@ -190,7 +190,7 @@ impl<C: Ciphersuite, E: Encryptable> EncryptedMessage<C, E> {
 
   #[cfg(test)]
   pub(crate) fn invalidate_pop(&mut self) {
-    self.pop.s += C::F::one();
+    self.pop.s += C::F::ONE;
   }
 
   #[cfg(test)]
@@ -250,7 +250,7 @@ impl<C: Ciphersuite, E: Encryptable> EncryptedMessage<C, E> {
     use ciphersuite::group::ff::PrimeField;
 
     // Assumes the share isn't randomly 1
-    let repr = C::F::one().to_repr();
+    let repr = C::F::ONE.to_repr();
     self.msg.as_mut().as_mut().copy_from_slice(repr.as_ref());
     *self = encrypt(rng, context, from, to, self.msg.clone());
   }

crypto/dkg/src/frost.rs

@@ -156,8 +156,8 @@ fn polynomial<F: PrimeField + Zeroize>(
 ) -> Zeroizing<F> {
   let l = F::from(u64::from(u16::from(l)));
   // This should never be reached since Participant is explicitly non-zero
-  assert!(l != F::zero(), "zero participant passed to polynomial");
-  let mut share = Zeroizing::new(F::zero());
+  assert!(l != F::ZERO, "zero participant passed to polynomial");
+  let mut share = Zeroizing::new(F::ZERO);
   for (idx, coefficient) in coefficients.iter().rev().enumerate() {
     *share += coefficient.deref();
     if idx != (coefficients.len() - 1) {
@@ -366,7 +366,7 @@ impl<C: Ciphersuite> Zeroize for KeyMachine<C> {
 fn exponential<C: Ciphersuite>(i: Participant, values: &[C::G]) -> Vec<(C::F, C::G)> {
   let i = C::F::from(u16::from(i).into());
   let mut res = Vec::with_capacity(values.len());
-  (0 .. values.len()).fold(C::F::one(), |exp, l| {
+  (0 .. values.len()).fold(C::F::ONE, |exp, l| {
     res.push((exp, values[l]));
     exp * i
   });
@@ -389,7 +389,7 @@ fn share_verification_statements<C: Ciphersuite>(
   // converts whatever we give to an iterator and then builds a Vec internally, welcoming copies
   let neg_share_pub = C::generator() * -*share;
   share.zeroize();
-  values.push((C::F::one(), neg_share_pub));
+  values.push((C::F::ONE, neg_share_pub));
 
   values
 }

crypto/dkg/src/lib.rs

@@ -176,8 +176,8 @@ impl ThresholdParams {
 pub fn lagrange<F: PrimeField>(i: Participant, included: &[Participant]) -> F {
   let i_f = F::from(u64::from(u16::from(i)));
 
-  let mut num = F::one();
-  let mut denom = F::one();
+  let mut num = F::ONE;
+  let mut denom = F::ONE;
   for l in included {
     if i == *l {
       continue;
@@ -405,7 +405,7 @@ impl<C: Ciphersuite> ThresholdKeys<C> {
     // Carry any existing offset
     // Enables schemes like Monero's subaddresses which have a per-subaddress offset and then a
     // one-time-key offset
-    res.offset = Some(offset + res.offset.unwrap_or_else(C::F::zero));
+    res.offset = Some(offset + res.offset.unwrap_or(C::F::ZERO));
     res
   }
 
@@ -426,7 +426,7 @@ impl<C: Ciphersuite> ThresholdKeys<C> {
 
   /// Return the group key, with any offset applied.
   pub fn group_key(&self) -> C::G {
-    self.core.group_key + (C::generator() * self.offset.unwrap_or_else(C::F::zero))
+    self.core.group_key + (C::generator() * self.offset.unwrap_or(C::F::ZERO))
   }
 
   /// Return all participants' verification shares without any offsetting.
@@ -457,7 +457,7 @@ impl<C: Ciphersuite> ThresholdKeys<C> {
     }
 
     // The offset is included by adding it to the participant with the lowest ID
-    let offset = self.offset.unwrap_or_else(C::F::zero);
+    let offset = self.offset.unwrap_or(C::F::ZERO);
     if included[0] == self.params().i() {
       *secret_share += offset;
     }

crypto/dkg/src/tests/mod.rs

@@ -36,7 +36,7 @@ pub fn recover_key<C: Ciphersuite>(keys: &HashMap<Participant, ThresholdKeys<C>>
   assert!(keys.len() >= first.params().t().into(), "not enough keys provided");
   let included = keys.keys().cloned().collect::<Vec<_>>();
 
-  let group_private = keys.iter().fold(C::F::zero(), |accum, (i, keys)| {
+  let group_private = keys.iter().fold(C::F::ZERO, |accum, (i, keys)| {
     accum + (lagrange::<C::F>(*i, &included) * keys.secret_share().deref())
   });
   assert_eq!(C::generator() * group_private, first.group_key(), "failed to recover keys");