Smash the singular Ciphersuite trait into multiple

This helps identify where the various functionalities are used, or rather, not used. The `Ciphersuite` trait present in `patches/ciphersuite`, facilitating the entire FCMP++ tree, only requires the markers _and_ canonical point decoding. I've opened a PR to upstream such a trait into `group` (https://github.com/zkcrypto/group/pull/68). `WrappedGroup` is still justified for as long as `Group::generator` exists. Moving `::generator()` to its own trait, on an independent structure (upstream) would be massively appreciated. @tarcieri also wanted to update from `fn generator()` to `const GENERATOR`, which would encourage further discussion on https://github.com/zkcrypto/group/issues/32 and https://github.com/zkcrypto/group/issues/45, which have been stagnant. The `Id` trait is occasionally used yet really should be first off the chopping block. Finally, `WithPreferredHash` is only actually used around a third of the time, which more than justifies it being a separate trait. --- Updates `dalek_ff_group::Scalar` to directly re-export `curve25519_dalek::Scalar`, as without issue. `dalek_ff_group::RistrettoPoint` also could be replaced with an export of `curve25519_dalek::RistrettoPoint`, yet the coordinator relies on how we implemented `Hash` on it for the hell of it so it isn't worth it at this time. `dalek_ff_group::EdwardsPoint` can't be replaced for an re-export of `curve25519_dalek::SubgroupPoint` as it doesn't implement `zeroize`, `subtle` traits within a released, non-yanked version. Relevance to https://github.com/serai-dex/serai/issues/201 and https://github.com/dalek-cryptography/curve25519-dalek/issues/811#issuecomment-3247732746. Also updates the `Ristretto` ciphersuite to prefer `Blake2b-512` over `SHA2-512`. In order to maintain compliance with FROST's IETF standard, `modular-frost` defines its own ciphersuite for Ristretto which still uses `SHA2-512`.
2025-12-09 04:39:24 +00:00 · 2025-09-03 12:25:37 -04:00
parent 215e41fdb6
commit a141deaf36
124 changed files with 1003 additions and 1211 deletions
--- a/coordinator/tributary/src/transaction.rs
+++ b/coordinator/tributary/src/transaction.rs
@@ -6,8 +6,8 @@ use rand_core::{RngCore, CryptoRng};

 use blake2::{digest::typenum::U32, Digest, Blake2b};
 use ciphersuite::{
-  group::{ff::Field, Group, GroupEncoding},
-  Ciphersuite,
+  group::{Group, GroupEncoding},
+  *,
 };
 use dalek_ff_group::Ristretto;
 use schnorr::SchnorrSignature;
@@ -52,7 +52,7 @@ impl SigningProtocolRound {
 #[derive(Clone, Copy, PartialEq, Eq, Debug)]
 pub struct Signed {
  /// The signer.
-  signer: <Ristretto as Ciphersuite>::G,
+  signer: <Ristretto as WrappedGroup>::G,
  /// The signature.
  signature: SchnorrSignature<Ristretto>,
 }
@@ -73,7 +73,7 @@ impl BorshDeserialize for Signed {

 impl Signed {
  /// Fetch the signer.
-  pub(crate) fn signer(&self) -> <Ristretto as Ciphersuite>::G {
+  pub(crate) fn signer(&self) -> <Ristretto as WrappedGroup>::G {
    self.signer
  }

@@ -86,10 +86,10 @@ impl Signed {
 impl Default for Signed {
  fn default() -> Self {
    Self {
-      signer: <Ristretto as Ciphersuite>::G::identity(),
+      signer: <Ristretto as WrappedGroup>::G::identity(),
      signature: SchnorrSignature {
-        R: <Ristretto as Ciphersuite>::G::identity(),
-        s: <Ristretto as Ciphersuite>::F::ZERO,
+        R: <Ristretto as WrappedGroup>::G::identity(),
+        s: <Ristretto as WrappedGroup>::F::ZERO,
      },
    }
  }
@@ -356,7 +356,7 @@ impl Transaction {
    &mut self,
    rng: &mut R,
    genesis: [u8; 32],
-    key: &Zeroizing<<Ristretto as Ciphersuite>::F>,
+    key: &Zeroizing<<Ristretto as WrappedGroup>::F>,
  ) {
    fn signed(tx: &mut Transaction) -> &mut Signed {
      #[allow(clippy::match_same_arms)] // This doesn't make semantic sense here
@@ -380,13 +380,13 @@ impl Transaction {
    }

    // Decide the nonce to sign with
-    let sig_nonce = Zeroizing::new(<Ristretto as Ciphersuite>::F::random(rng));
+    let sig_nonce = Zeroizing::new(<Ristretto as WrappedGroup>::F::random(rng));

    {
      // Set the signer and the nonce
      let signed = signed(self);
      signed.signer = Ristretto::generator() * key.deref();
-      signed.signature.R = <Ristretto as Ciphersuite>::generator() * sig_nonce.deref();
+      signed.signature.R = <Ristretto as WrappedGroup>::generator() * sig_nonce.deref();
    }

    // Get the signature hash (which now includes `R || A` making it valid as the challenge)