absolutebi/serai
1
0
Fork 0
mirror of https://github.com/serai-dex/serai.git synced 2025-12-14 06:59:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

Inline the eVRF into the DKG library

Browse Source 
Due to how we're handling share encryption, we'd either need two circuits or to
dedicate this circuit to the DKG. The latter makes sense at this time.
This commit is contained in:
Luke Parker
2024-07-24 20:05:46 -04:00
parent fa31f26397
commit 96175e115d
8 changed files with 27 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
crypto/dkg/Cargo.toml
View File

@@ -36,13 +36,26 @@ multiexp = { path = "../multiexp", version = "0.4", default-features = false }
schnorr = { package = "schnorr-signatures", path = "../schnorr", version = "^0.5.1", default-features = false }
dleq = { path = "../dleq", version = "^0.4.1", default-features = false }
# eVRF DKG dependencies
subtle = { version = "2", default-features = false, features = ["std"], optional = true }
generic-array = { version = "1", default-features = false, features = ["alloc"], optional = true }
rand_chacha = { version = "0.3", default-features = false, features = ["std"], optional = true }
blake2 = { version = "0.10", default-features = false, features = ["std"], optional = true }
generalized-bulletproofs = { path = "../evrf/generalized-bulletproofs", default-features = false, optional = true }
ec-divisors = { path = "../evrf/divisors", default-features = false, optional = true }
evrf = { path = "../evrf", default-features = false, optional = true }
generalized-bulletproofs-circuit-abstraction = { path = "./circuit-abstraction", optional = true }
generalized-bulletproofs-ec-gadgets = { path = "./ec-gadgets", optional = true }
[dev-dependencies]
rand_core = { version = "0.6", default-features = false, features = ["getrandom"] }
ciphersuite = { path = "../ciphersuite", default-features = false, features = ["ristretto"] }
generalized-bulletproofs = { path = "./generalized-bulletproofs", features = ["tests"] }
ec-divisors = { path = "./divisors", features = ["pasta"] }
pasta_curves = "0.5"
[dependencies]
generalized-bulletproofs-circuit-abstraction = { path = "./circuit-abstraction" }
generalized-bulletproofs-ec-gadgets = { path = "./ec-gadgets" }
[features]
std = [
@@ -66,6 +79,6 @@ std = [
"dleq/serialize"
]
borsh = ["dep:borsh"]
evrf = ["std", "dep:ec-divisors", "dep:generalized-bulletproofs", "dep:evrf"]
evrf = ["std", "dep:subtle", "dep:generic-array", "dep:rand_chacha", "dep:blake2", "dep:ec-divisors", "dep:generalized-bulletproofs", "dep:evrf"]
tests = ["rand_core/getrandom"]
default = ["std"]

0
crypto/dkg/src/evrf.rs → crypto/dkg/src/evrf/mod.rs
View File

568
crypto/dkg/src/evrf/proof.rs Normal file
View File

@@ -0,0 +1,568 @@
use subtle::*;
use zeroize::{Zeroize, Zeroizing};
use rand_core::{RngCore, CryptoRng, SeedableRng};
use rand_chacha::ChaCha20Rng;
use generic_array::{typenum::Unsigned, ArrayLength, GenericArray};
use blake2::{Digest, Blake2s256};
use ciphersuite::{
group::{
ff::{Field, PrimeField, PrimeFieldBits},
Group, GroupEncoding,
},
Ciphersuite,
};
use generalized_bulletproofs::{
*,
transcript::{Transcript as ProverTranscript, VerifierTranscript},
arithmetic_circuit_proof::*,
};
use generalized_bulletproofs_circuit_abstraction::*;
use ec_divisors::{DivisorCurve, new_divisor};
use generalized_bulletproofs_ec_gadgets::*;
#[cfg(test)]
mod tests;
/// A curve to perform the eVRF with.
pub trait EvrfCurve: Ciphersuite {
type EmbeddedCurve: Ciphersuite;
type EmbeddedCurveParameters: DiscreteLogParameters;
}
/// The result of proving for an eVRF.
pub struct EvrfProveResult<C: Ciphersuite> {
pub scalars: Vec<Zeroizing<C::F>>,
pub proof: Vec<u8>,
}
/// A struct to prove/verify eVRFs with.
pub struct Evrf;
impl Evrf {
fn transcript_to_points<C: Ciphersuite>(seed: [u8; 32], quantity: usize) -> Vec<C::G> {
// We need to do two Diffie-Hellman's per point in order to achieve an unbiased result
let quantity = 2 * quantity;
let mut rng = ChaCha20Rng::from_seed(seed);
let mut res = Vec::with_capacity(quantity);
while res.len() < quantity {
let mut repr = <C::G as GroupEncoding>::Repr::default();
rng.fill_bytes(repr.as_mut());
if let Ok(point) = C::read_G(&mut repr.as_ref()) {
res.push(point);
}
}
res
}
fn point_with_dlogs<Parameters: DiscreteLogParameters>(
quantity: usize,
generators_to_use: usize,
) -> Vec<PointWithDlog<Parameters>> {
let quantity = 2 * quantity;
fn read_one_from_tape(generators_to_use: usize, start: &mut usize) -> Variable {
let commitment = *start / (2 * generators_to_use);
let index = *start % generators_to_use;
let res = if (*start / generators_to_use) % 2 == 0 {
Variable::CG { commitment, index }
} else {
Variable::CH { commitment, index }
};
*start += 1;
res
}
fn read_from_tape<N: ArrayLength>(
generators_to_use: usize,
start: &mut usize,
) -> GenericArray<Variable, N> {
let mut buf = Vec::with_capacity(N::USIZE);
for _ in 0 .. N::USIZE {
buf.push(read_one_from_tape(generators_to_use, start));
}
GenericArray::from_slice(&buf).clone()
}
// We define a serialized tape of the discrete logarithm, then for each divisor/point:
// zero, x**i, y x**i, y, x_coord, y_coord
// We then chunk that into vector commitments
// Here, we take the assumed layout and generate the expected `Variable`s for this layout
let mut start = 0;
let dlog = read_from_tape(generators_to_use, &mut start);
let mut res = Vec::with_capacity(quantity + 1);
let mut read_point_with_dlog = || {
let zero = read_one_from_tape(generators_to_use, &mut start);
let x_from_power_of_2 = read_from_tape(generators_to_use, &mut start);
let yx = read_from_tape(generators_to_use, &mut start);
let y = read_one_from_tape(generators_to_use, &mut start);
let divisor = Divisor { zero, x_from_power_of_2, yx, y };
let point = (
read_one_from_tape(generators_to_use, &mut start),
read_one_from_tape(generators_to_use, &mut start),
);
res.push(PointWithDlog { dlog: dlog.clone(), divisor, point });
};
for _ in 0 .. quantity {
// One for each DH proven
read_point_with_dlog();
}
// And one more for the proof this is the discrete log of the public key
read_point_with_dlog();
res
}
fn muls_and_generators_to_use(quantity: usize) -> (usize, usize) {
let expected_muls = 7 * (1 + (2 * quantity));
let generators_to_use = {
let mut padded_pow_of_2 = 1;
while padded_pow_of_2 < expected_muls {
padded_pow_of_2 <<= 1;
}
// This may as small as 16, which would create an excessive amount of vector commitments
// We set a floor of 1024 rows for bandwidth reasons
padded_pow_of_2.max(1024)
};
(expected_muls, generators_to_use)
}
fn circuit<C: EvrfCurve>(
curve_spec: &CurveSpec<C::F>,
evrf_public_key: (C::F, C::F),
quantity: usize,
generator_tables: &[GeneratorTable<C::F, C::EmbeddedCurveParameters>],
circuit: &mut Circuit<C>,
transcript: &mut impl Transcript,
) {
let (expected_muls, generators_to_use) = Self::muls_and_generators_to_use(quantity);
let (challenge, challenged_generators) =
circuit.discrete_log_challenge(transcript, curve_spec, generator_tables);
let mut point_with_dlogs =
Self::point_with_dlogs::<C::EmbeddedCurveParameters>(quantity, generators_to_use).into_iter();
// Verify the DLog claims for the sampled points
for (i, pair) in challenged_generators.chunks(2).take(quantity).enumerate() {
let mut lincomb = LinComb::empty();
debug_assert_eq!(pair.len(), 2);
for challenged_generator in pair {
let point = circuit.discrete_log(
curve_spec,
point_with_dlogs.next().unwrap(),
&challenge,
challenged_generator,
);
// For each point in this pair, add its x coordinate to a lincomb
lincomb = lincomb.term(C::F::ONE, point.x());
}
// Constrain the sum of the two x coordinates to be equal to the value in the Pedersen
// commitment
circuit.equality(lincomb, &LinComb::from(Variable::V(i)));
}
let point = circuit.discrete_log(
curve_spec,
point_with_dlogs.next().unwrap(),
&challenge,
challenged_generators.last().unwrap(),
);
circuit.equality(LinComb::from(point.x()), &LinComb::empty().constant(evrf_public_key.0));
circuit.equality(LinComb::from(point.y()), &LinComb::empty().constant(evrf_public_key.1));
debug_assert_eq!(expected_muls, circuit.muls());
debug_assert!(point_with_dlogs.next().is_none());
}
/// Prove a point on an elliptic curve had its discrete logarithm generated via an eVRF.
pub fn prove<C: EvrfCurve>(
rng: &mut (impl RngCore + CryptoRng),
generators: &Generators<C>,
evrf_private_key: Zeroizing<<<C as EvrfCurve>::EmbeddedCurve as Ciphersuite>::F>,
invocation: [u8; 32],
quantity: usize,
) -> Result<EvrfProveResult<C>, AcError>
where
<<C as EvrfCurve>::EmbeddedCurve as Ciphersuite>::G:
DivisorCurve<FieldElement = <C as Ciphersuite>::F>,
{
let curve_spec = CurveSpec {
a: <<C as EvrfCurve>::EmbeddedCurve as Ciphersuite>::G::a(),
b: <<C as EvrfCurve>::EmbeddedCurve as Ciphersuite>::G::b(),
};
// Combine the invocation and the public key into a transcript
let transcript = Blake2s256::digest(
[
invocation.as_slice(),
(<<C as EvrfCurve>::EmbeddedCurve as Ciphersuite>::generator() * *evrf_private_key)
.to_bytes()
.as_ref(),
]
.concat(),
)
.into();
let points = Self::transcript_to_points::<C::EmbeddedCurve>(transcript, quantity);
let num_bits: u32 = <<C as EvrfCurve>::EmbeddedCurve as Ciphersuite>::F::NUM_BITS;
// Obtain the bits of the private key
let mut sum_of_coefficients: u32 = 0;
let mut dlog = vec![<C as Ciphersuite>::F::ZERO; num_bits as usize];
for (i, bit) in evrf_private_key.to_le_bits().into_iter().take(num_bits as usize).enumerate() {
let bit = Choice::from(u8::from(bit));
dlog[i] =
<_>::conditional_select(&<C as Ciphersuite>::F::ZERO, &<C as Ciphersuite>::F::ONE, bit);
sum_of_coefficients += u32::conditional_select(&0, &1, bit);
}
/*
Now that we have the discrete logarithm as the coefficients 0/1 for a polynomial of 2**i, we
want to malleate it such that the sum of its coefficients is NUM_BITS. The divisor
calculcation is a non-trivial amount of work and would be extremely vulnerable to timing
attacks without such efforts.
We find the highest non-0 coefficient, decrement it, and increase the prior coefficient by 2.
This increase the sum of the coefficients by 1.
*/
let two = <C as Ciphersuite>::F::ONE.double();
for _ in 0 .. num_bits {
// Find the highest coefficient currently non-zero
let mut h = 1u32;
// The value of this highest coefficient, and the coefficient prior to it
let mut h_value = dlog[h as usize];
let mut h_prior_value = dlog[(h as usize) - 1];
// TODO: Squash the following two loops by iterating from the top bit to the bottom bit
let mut prior_scalar = dlog[(h as usize) - 1];
for (i, scalar) in dlog.iter().enumerate().skip(h as usize) {
let is_zero = <C as Ciphersuite>::F::ZERO.ct_eq(scalar);
// Set `h_*` if this value is non-0
h = u32::conditional_select(&h, &(i as u32), !is_zero);
h_value = <C as Ciphersuite>::F::conditional_select(&h_value, scalar, !is_zero);
h_prior_value =
<C as Ciphersuite>::F::conditional_select(&h_prior_value, &prior_scalar, !is_zero);
// Update prior_scalar
prior_scalar = *scalar;
}
// We should not have selected a value equivalent to 0
// TODO: Ban evrf keys < NUM_BITS and accordingly unable to be so coerced
// TODO: Preprocess this decomposition of the eVRF key?
assert!(!bool::from(h_value.ct_eq(&<C as Ciphersuite>::F::ZERO)));
// Update h_value, h_prior_value as necessary
h_value -= <C as Ciphersuite>::F::ONE;
h_prior_value += two;
// Now, set these values if we should
let should_set = !sum_of_coefficients.ct_eq(&num_bits);
sum_of_coefficients += u32::conditional_select(&0, &1, should_set);
for (i, scalar) in dlog.iter_mut().enumerate() {
let this_is_prior = (i as u32).ct_eq(&(h - 1));
let this_is_high = (i as u32).ct_eq(&h);
*scalar = <_>::conditional_select(scalar, &h_prior_value, should_set & this_is_prior);
*scalar = <_>::conditional_select(scalar, &h_value, should_set & this_is_high);
}
}
debug_assert!(bool::from(
dlog
.iter()
.sum::<<C as Ciphersuite>::F>()
.ct_eq(&<C as Ciphersuite>::F::from(u64::from(num_bits)))
));
// A tape of the discrete logarithm, then [zero, x**i, y x**i, y, x_coord, y_coord]
let mut vector_commitment_tape = vec![];
// Start by pushing the discrete logarithm onto the tape
for coefficient in &dlog {
vector_commitment_tape.push(*coefficient);
}
let mut generator_tables = Vec::with_capacity(1 + (2 * quantity));
// A function to calculate a divisor and push it onto the tape
// This defines a vec, divisor_points, outside of the fn to reuse its allocation
let mut divisor_points = Vec::with_capacity((num_bits as usize) + 1);
let mut divisor = |mut generator: <<C as EvrfCurve>::EmbeddedCurve as Ciphersuite>::G| {
{
let (x, y) = <C::EmbeddedCurve as Ciphersuite>::G::to_xy(generator).unwrap();
generator_tables.push(GeneratorTable::new(&curve_spec, x, y));
}
let dh = generator * *evrf_private_key;
{
for coefficient in &dlog {
let mut coefficient = *coefficient;
while coefficient != <C as Ciphersuite>::F::ZERO {
coefficient -= <C as Ciphersuite>::F::ONE;
divisor_points.push(generator);
}
generator = generator.double();
}
}
divisor_points.push(-dh);
let mut divisor = new_divisor(&divisor_points).unwrap().normalize_x_coefficient();
divisor_points.zeroize();
vector_commitment_tape.push(divisor.zero_coefficient);
for coefficient in divisor.x_coefficients.iter().skip(1) {
vector_commitment_tape.push(*coefficient);
}
for _ in divisor.x_coefficients.len() ..
<C::EmbeddedCurveParameters as DiscreteLogParameters>::XCoefficientsMinusOne::USIZE
{
vector_commitment_tape.push(<C as Ciphersuite>::F::ZERO);
}
for coefficient in divisor.yx_coefficients.first().unwrap_or(&vec![]) {
vector_commitment_tape.push(*coefficient);
}
for _ in divisor.yx_coefficients.first().unwrap_or(&vec![]).len() ..
<C::EmbeddedCurveParameters as DiscreteLogParameters>::YxCoefficients::USIZE
{
vector_commitment_tape.push(<C as Ciphersuite>::F::ZERO);
}
vector_commitment_tape
.push(divisor.y_coefficients.first().cloned().unwrap_or(<C as Ciphersuite>::F::ZERO));
divisor.zeroize();
drop(divisor);
let (x, y) = <C::EmbeddedCurve as Ciphersuite>::G::to_xy(dh).unwrap();
vector_commitment_tape.push(x);
vector_commitment_tape.push(y);
(x, y)
};
// Push a divisor for each point we use in the eVRF
let mut scalars = Vec::with_capacity(quantity);
for pair in points.chunks(2) {
let mut res = Zeroizing::new(C::F::ZERO);
for point in pair {
let (dh_x, _) = divisor(*point);
*res += dh_x;
}
scalars.push(res);
}
debug_assert_eq!(scalars.len(), quantity);
// Also push a divisor for proving that we're using the correct scalar
let evrf_public_key = divisor(<<C as EvrfCurve>::EmbeddedCurve as Ciphersuite>::generator());
dlog.zeroize();
drop(dlog);
// Now that we have the vector commitment tape, chunk it
let (_, generators_to_use) = Self::muls_and_generators_to_use(quantity);
let mut vector_commitments =
Vec::with_capacity(vector_commitment_tape.len().div_ceil(generators_to_use));
for chunk in vector_commitment_tape.chunks(generators_to_use * 2) {
let g_values = chunk[.. generators_to_use].to_vec().into();
let h_values = chunk[generators_to_use ..].to_vec().into();
vector_commitments.push(PedersenVectorCommitment {
g_values,
h_values,
mask: C::F::random(&mut *rng),
});
}
vector_commitment_tape.zeroize();
drop(vector_commitment_tape);
let mut commitments = Vec::with_capacity(quantity);
for scalar in &scalars {
commitments.push(PedersenCommitment { value: **scalar, mask: C::F::random(&mut *rng) });
}
let mut transcript = ProverTranscript::new(transcript);
let commited_commitments = transcript.write_commitments(
vector_commitments
.iter()
.map(|commitment| {
commitment
.commit(generators.g_bold_slice(), generators.h_bold_slice(), generators.h())
.ok_or(AcError::NotEnoughGenerators)
})
.collect::<Result<_, _>>()?,
commitments
.iter()
.map(|commitment| commitment.commit(generators.g(), generators.h()))
.collect(),
);
let mut circuit = Circuit::prove(vector_commitments, commitments.clone());
Self::circuit::<C>(
&curve_spec,
evrf_public_key,
quantity,
&generator_tables,
&mut circuit,
&mut transcript,
);
let (statement, Some(witness)) = circuit
.statement(
generators.reduce(generators_to_use).ok_or(AcError::NotEnoughGenerators)?,
commited_commitments,
)
.unwrap()
else {
panic!("proving yet wasn't yielded the witness");
};
statement.prove(&mut *rng, &mut transcript, witness).unwrap();
// Push the reveal onto the transcript
for scalar in &scalars {
transcript.push_point(generators.g() * **scalar);
}
// Define a weight to aggregate the commitments with
let mut agg_weights = Vec::with_capacity(quantity);
agg_weights.push(C::F::ONE);
while agg_weights.len() < quantity {
agg_weights.push(transcript.challenge::<C::F>());
}
let mut x = commitments
.iter()
.zip(&agg_weights)
.map(|(commitment, weight)| commitment.mask * *weight)
.sum::<C::F>();
// Do a Schnorr PoK for the randomness of the aggregated Pedersen commitment
let mut r = C::F::random(&mut *rng);
transcript.push_point(generators.h() * r);
let c = transcript.challenge::<C::F>();
transcript.push_scalar(r + (c * x));
r.zeroize();
x.zeroize();
Ok(EvrfProveResult { scalars, proof: transcript.complete() })
}
// TODO: Dedicated error
/// Verify an eVRF proof, returning the commitments output.
pub fn verify<C: EvrfCurve>(
rng: &mut (impl RngCore + CryptoRng),
generators: &Generators<C>,
verifier: &mut BatchVerifier<C>,
evrf_public_key: <<C as EvrfCurve>::EmbeddedCurve as Ciphersuite>::G,
invocation: [u8; 32],
quantity: usize,
proof: &[u8],
) -> Result<Vec<C::G>, ()>
where
<<C as EvrfCurve>::EmbeddedCurve as Ciphersuite>::G:
DivisorCurve<FieldElement = <C as Ciphersuite>::F>,
{
let curve_spec = CurveSpec {
a: <<C as EvrfCurve>::EmbeddedCurve as Ciphersuite>::G::a(),
b: <<C as EvrfCurve>::EmbeddedCurve as Ciphersuite>::G::b(),
};
let transcript =
Blake2s256::digest([invocation.as_slice(), evrf_public_key.to_bytes().as_ref()].concat())
.into();
let points = Self::transcript_to_points::<C::EmbeddedCurve>(transcript, quantity);
let mut generator_tables = Vec::with_capacity(1 + (2 * quantity));
for generator in points {
let (x, y) = <C::EmbeddedCurve as Ciphersuite>::G::to_xy(generator).unwrap();
generator_tables.push(GeneratorTable::new(&curve_spec, x, y));
}
{
let (x, y) =
<C::EmbeddedCurve as Ciphersuite>::G::to_xy(<C::EmbeddedCurve as Ciphersuite>::generator())
.unwrap();
generator_tables.push(GeneratorTable::new(&curve_spec, x, y));
}
let (_, generators_to_use) = Self::muls_and_generators_to_use(quantity);
let mut transcript = VerifierTranscript::new(transcript, proof);
let divisor_len = 1 +
<C::EmbeddedCurveParameters as DiscreteLogParameters>::XCoefficientsMinusOne::USIZE +
<C::EmbeddedCurveParameters as DiscreteLogParameters>::YxCoefficients::USIZE +
1;
let dlog_proof_len = divisor_len + 2;
let vcs = (<C::EmbeddedCurveParameters as DiscreteLogParameters>::ScalarBits::USIZE +
((1 + (2 * quantity)) * dlog_proof_len))
.div_ceil(2 * generators_to_use);
let all_commitments = transcript.read_commitments(vcs, quantity).map_err(|_| ())?;
let commitments = all_commitments.V().to_vec();
let mut circuit = Circuit::verify();
Self::circuit::<C>(
&curve_spec,
// TODO: Use a better error here
<C::EmbeddedCurve as Ciphersuite>::G::to_xy(evrf_public_key).ok_or(())?,
quantity,
&generator_tables,
&mut circuit,
&mut transcript,
);
let (statement, None) =
circuit.statement(generators.reduce(generators_to_use).ok_or(())?, all_commitments).unwrap()
else {
panic!("verifying yet was yielded a witness");
};
statement.verify(rng, verifier, &mut transcript).map_err(|_| ())?;
// Read the unblinded public keys
let mut res = Vec::with_capacity(quantity);
for _ in 0 .. quantity {
res.push(transcript.read_point::<C>().map_err(|_| ())?);
}
let mut agg_weights = Vec::with_capacity(quantity);
agg_weights.push(C::F::ONE);
while agg_weights.len() < quantity {
agg_weights.push(transcript.challenge::<C::F>());
}
let sum_points =
res.iter().zip(&agg_weights).map(|(point, weight)| *point * *weight).sum::<C::G>();
let sum_commitments =
commitments.into_iter().zip(agg_weights).map(|(point, weight)| point * weight).sum::<C::G>();
#[allow(non_snake_case)]
let A = sum_commitments - sum_points;
#[allow(non_snake_case)]
let R = transcript.read_point::<C>().map_err(|_| ())?;
let c = transcript.challenge::<C::F>();
let s = transcript.read_scalar::<C>().map_err(|_| ())?;
// Doesn't batch verify this as we can't access the internals of the GBP batch verifier
if (R + (A * c)) != (generators.h() * s) {
Err(())?;
}
if !transcript.complete().is_empty() {
Err(())?
};
Ok(res)
}
}

89
crypto/dkg/src/tests/evrf/proof.rs Normal file
View File

@@ -0,0 +1,89 @@
use std::time::Instant;
use rand_core::OsRng;
use zeroize::{Zeroize, Zeroizing};
use generic_array::typenum::{Sum, Diff, Quot, U, U1, U2};
use blake2::{Digest, Blake2b512};
use ciphersuite::{
group::ff::{FromUniformBytes, PrimeField},
Ciphersuite,
};
use pasta_curves::{Ep, Eq, Fp, Fq};
use generalized_bulletproofs::tests::generators;
use crate::*;
#[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
struct Pallas;
impl Ciphersuite for Pallas {
type F = Fq;
type G = Ep;
type H = Blake2b512;
const ID: &'static [u8] = b"Pallas";
fn generator() -> Ep {
Ep::generator()
}
fn hash_to_F(dst: &[u8], msg: &[u8]) -> Self::F {
// This naive concat may be insecure in a real world deployment
// This is solely test code so it's fine
Self::F::from_uniform_bytes(&Self::H::digest([dst, msg].concat()).into())
}
}
#[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
struct Vesta;
impl Ciphersuite for Vesta {
type F = Fp;
type G = Eq;
type H = Blake2b512;
const ID: &'static [u8] = b"Vesta";
fn generator() -> Eq {
Eq::generator()
}
fn hash_to_F(dst: &[u8], msg: &[u8]) -> Self::F {
// This naive concat may be insecure in a real world deployment
// This is solely test code so it's fine
Self::F::from_uniform_bytes(&Self::H::digest([dst, msg].concat()).into())
}
}
struct VestaParams;
impl DiscreteLogParameters for VestaParams {
type ScalarBits = U<{ <<Vesta as Ciphersuite>::F as PrimeField>::NUM_BITS as usize }>;
type XCoefficients = Quot<Sum<Self::ScalarBits, U1>, U2>;
type XCoefficientsMinusOne = Diff<Self::XCoefficients, U1>;
type YxCoefficients = Diff<Quot<Sum<Self::ScalarBits, U1>, U2>, U2>;
}
impl EvrfCurve for Pallas {
type EmbeddedCurve = Vesta;
type EmbeddedCurveParameters = VestaParams;
}
#[test]
fn pasta_test() {
let generators = generators(1024);
let vesta_private_key = Zeroizing::new(<Vesta as Ciphersuite>::F::random(&mut OsRng));
let time = Instant::now();
let res =
Evrf::prove::<Pallas>(&mut OsRng, &generators, vesta_private_key.clone(), [0; 32], 1).unwrap();
println!("Proving time: {:?}", Instant::now() - time);
let time = Instant::now();
let mut verifier = generators.batch_verifier();
dbg!(Evrf::verify::<Pallas>(
&mut OsRng,
&generators,
&mut verifier,
Vesta::generator() * *vesta_private_key,
[0; 32],
1,
&res.proof,
)
.unwrap());
assert!(generators.verify(verifier));
println!("Verifying time: {:?}", Instant::now() - time);
}