ff 0.13 (#269)

* Partial move to ff 0.13

It turns out the newly released k256 0.12 isn't on ff 0.13, preventing further
work at this time.

* Update all crates to work on ff 0.13

The provided curves still need to be expanded to fit the new API.

* Finish adding dalek-ff-group ff 0.13 constants

* Correct FieldElement::product definition

Also stops exporting macros.

* Test most new parts of ff 0.13

* Additionally test ff-group-tests with BLS12-381 and the pasta curves

We only tested curves from RustCrypto. Now we test a curve offered by zk-crypto,
the group behind ff/group, and the pasta curves, which is by Zcash (though
Zcash developers are also behind zk-crypto).

* Finish Ed448

Fully specifies all constants, passes all tests in ff-group-tests, and finishes moving to ff-0.13.

* Add RustCrypto/elliptic-curves to allowed git repos

Needed due to k256/p256 incorrectly defining product.

* Finish writing ff 0.13 tests

* Add additional comments to dalek

* Further comments

* Update ethereum-serai to ff 0.13

crypto/schnorr/src/aggregate.rs

@@ -22,7 +22,7 @@ fn weight<D: Send + Clone + SecureDigest, F: PrimeField>(digest: &mut DigestTran
   // This should be guaranteed thanks to SecureDigest
   debug_assert!(bytes.len() >= 32);
 
-  let mut res = F::zero();
+  let mut res = F::ZERO;
   let mut i = 0;
 
   // Derive a scalar from enough bits of entropy that bias is < 2^128
@@ -139,12 +139,18 @@ impl<C: Ciphersuite> SchnorrAggregate<C> {
 
 /// A signature aggregator capable of consuming signatures in order to produce an aggregate.
 #[allow(non_snake_case)]
-#[derive(Clone, Debug, Zeroize)]
+#[derive(Clone, Debug)]
 pub struct SchnorrAggregator<C: Ciphersuite> {
   digest: DigestTranscript<C::H>,
   sigs: Vec<SchnorrSignature<C>>,
 }
 
+impl<C: Ciphersuite> Zeroize for SchnorrAggregator<C> {
+  fn zeroize(&mut self) {
+    self.sigs.zeroize();
+  }
+}
+
 impl<C: Ciphersuite> SchnorrAggregator<C> {
   /// Create a new aggregator.
   ///
@@ -168,8 +174,7 @@ impl<C: Ciphersuite> SchnorrAggregator<C> {
       return None;
     }
 
-    let mut aggregate =
-      SchnorrAggregate { Rs: Vec::with_capacity(self.sigs.len()), s: C::F::zero() };
+    let mut aggregate = SchnorrAggregate { Rs: Vec::with_capacity(self.sigs.len()), s: C::F::ZERO };
     for i in 0 .. self.sigs.len() {
       aggregate.Rs.push(self.sigs[i].R);
       aggregate.s += self.sigs[i].s * weight::<_, C::F>(&mut self.digest);

crypto/schnorr/src/lib.rs

@@ -82,7 +82,7 @@ impl<C: Ciphersuite> SchnorrSignature<C> {
     // R + cA - sG == 0
     [
       // R
-      (C::F::one(), self.R),
+      (C::F::ONE, self.R),
       // cA
       (challenge, public_key),
       // -sG

crypto/schnorr/src/tests/mod.rs

@@ -28,7 +28,7 @@ pub(crate) fn sign<C: Ciphersuite>() {
 // This verifies invalid signatures don't pass, using zero signatures, which should effectively be
 // random
 pub(crate) fn verify<C: Ciphersuite>() {
-  assert!(!SchnorrSignature::<C> { R: C::G::identity(), s: C::F::zero() }
+  assert!(!SchnorrSignature::<C> { R: C::G::identity(), s: C::F::ZERO }
     .verify(C::generator() * C::random_nonzero_F(&mut OsRng), C::random_nonzero_F(&mut OsRng)));
 }
 
@@ -62,10 +62,10 @@ pub(crate) fn batch_verify<C: Ciphersuite>() {
     let mut batch = BatchVerifier::new(5);
     for (i, mut sig) in sigs.clone().drain(..).enumerate() {
       if i == 1 {
-        sig.s += C::F::one();
+        sig.s += C::F::ONE;
       }
       if i == 2 {
-        sig.s -= C::F::one();
+        sig.s -= C::F::ONE;
       }
       sig.batch_verify(&mut OsRng, &mut batch, i, C::generator() * keys[i].deref(), challenges[i]);
     }