Smash the singular Ciphersuite trait into multiple

This helps identify where the various functionalities are used, or rather, not used. The `Ciphersuite` trait present in `patches/ciphersuite`, facilitating the entire FCMP++ tree, only requires the markers _and_ canonical point decoding. I've opened a PR to upstream such a trait into `group` (https://github.com/zkcrypto/group/pull/68). `WrappedGroup` is still justified for as long as `Group::generator` exists. Moving `::generator()` to its own trait, on an independent structure (upstream) would be massively appreciated. @tarcieri also wanted to update from `fn generator()` to `const GENERATOR`, which would encourage further discussion on https://github.com/zkcrypto/group/issues/32 and https://github.com/zkcrypto/group/issues/45, which have been stagnant. The `Id` trait is occasionally used yet really should be first off the chopping block. Finally, `WithPreferredHash` is only actually used around a third of the time, which more than justifies it being a separate trait. --- Updates `dalek_ff_group::Scalar` to directly re-export `curve25519_dalek::Scalar`, as without issue. `dalek_ff_group::RistrettoPoint` also could be replaced with an export of `curve25519_dalek::RistrettoPoint`, yet the coordinator relies on how we implemented `Hash` on it for the hell of it so it isn't worth it at this time. `dalek_ff_group::EdwardsPoint` can't be replaced for an re-export of `curve25519_dalek::SubgroupPoint` as it doesn't implement `zeroize`, `subtle` traits within a released, non-yanked version. Relevance to https://github.com/serai-dex/serai/issues/201 and https://github.com/dalek-cryptography/curve25519-dalek/issues/811#issuecomment-3247732746. Also updates the `Ristretto` ciphersuite to prefer `Blake2b-512` over `SHA2-512`. In order to maintain compliance with FROST's IETF standard, `modular-frost` defines its own ciphersuite for Ristretto which still uses `SHA2-512`.
2025-12-08 12:19:24 +00:00 · 2025-09-03 12:25:37 -04:00
parent 215e41fdb6
commit a141deaf36
124 changed files with 1003 additions and 1211 deletions
--- a/crypto/schnorr/Cargo.toml
+++ b/crypto/schnorr/Cargo.toml
@@ -22,6 +22,7 @@ std-shims = { path = "../../common/std-shims", version = "^0.1.1", default-featu
 rand_core = { version = "0.6", default-features = false }

 zeroize = { version = "^1.5", default-features = false, features = ["zeroize_derive"] }
+digest = { version = "0.11.0-rc.1", default-features = false, features = ["block-api"] }

 transcript = { package = "flexible-transcript", path = "../transcript", version = "^0.3.2", default-features = false, optional = true }

--- a/crypto/schnorr/src/aggregate.rs
+++ b/crypto/schnorr/src/aggregate.rs
@@ -5,74 +5,34 @@ use std_shims::{

 use zeroize::Zeroize;

-use transcript::{Transcript, SecureDigest, DigestTranscript};
+use transcript::{Transcript, DigestTranscript};

 use ciphersuite::{
  group::{
    ff::{Field, PrimeField},
    Group, GroupEncoding,
  },
-  Ciphersuite,
+  FromUniformBytes, GroupIo, WithPreferredHash,
 };
 use multiexp::multiexp_vartime;

 use crate::SchnorrSignature;

 // Returns a unbiased scalar weight to use on a signature in order to prevent malleability
-fn weight<D: Send + Clone + SecureDigest, F: PrimeField>(digest: &mut DigestTranscript<D>) -> F {
-  let mut bytes = digest.challenge(b"aggregation_weight");
-  debug_assert_eq!(bytes.len() % 8, 0);
-  // This should be guaranteed thanks to SecureDigest
-  debug_assert!(bytes.len() >= 32);
-
-  let mut res = F::ZERO;
-  let mut i = 0;
-
-  // Derive a scalar from enough bits of entropy that bias is < 2^128
-  // This can't be const due to its usage of a generic
-  // Also due to the usize::try_from, yet that could be replaced with an `as`
-  #[allow(non_snake_case)]
-  let BYTES: usize = usize::try_from((F::NUM_BITS + 128).div_ceil(8)).unwrap();
-
-  let mut remaining = BYTES;
-
-  // We load bits in as u64s
-  const WORD_LEN_IN_BITS: usize = 64;
-  const WORD_LEN_IN_BYTES: usize = WORD_LEN_IN_BITS / 8;
-
-  let mut first = true;
-  while i < remaining {
-    // Shift over the already loaded bits
-    if !first {
-      for _ in 0 .. WORD_LEN_IN_BITS {
-        res += res;
-      }
-    }
-    first = false;
-
-    // Add the next 64 bits
-    res += F::from(u64::from_be_bytes(bytes[i .. (i + WORD_LEN_IN_BYTES)].try_into().unwrap()));
-    i += WORD_LEN_IN_BYTES;
-
-    // If we've exhausted this challenge, get another
-    if i == bytes.len() {
-      bytes = digest.challenge(b"aggregation_weight_continued");
-      remaining -= i;
-      i = 0;
-    }
-  }
-  res
+fn weight<C: WithPreferredHash>(digest: &mut DigestTranscript<C::H>) -> C::F {
+  let bytes = digest.challenge(b"aggregation_weight");
+  C::F::from_uniform_bytes(&bytes.into())
 }

 /// Aggregate Schnorr signature as defined in <https://eprint.iacr.org/2021/350>.
 #[allow(non_snake_case)]
 #[derive(Clone, PartialEq, Eq, Debug, Zeroize)]
-pub struct SchnorrAggregate<C: Ciphersuite> {
+pub struct SchnorrAggregate<C: GroupIo + WithPreferredHash> {
  Rs: Vec<C::G>,
  s: C::F,
 }

-impl<C: Ciphersuite> SchnorrAggregate<C> {
+impl<C: GroupIo + WithPreferredHash> SchnorrAggregate<C> {
  /// Read a SchnorrAggregate from something implementing Read.
  pub fn read<R: Read>(reader: &mut R) -> io::Result<Self> {
    let mut len = [0; 4];
@@ -137,7 +97,7 @@ impl<C: Ciphersuite> SchnorrAggregate<C> {

    let mut pairs = Vec::with_capacity((2 * keys_and_challenges.len()) + 1);
    for (i, (key, challenge)) in keys_and_challenges.iter().enumerate() {
-      let z = weight(&mut digest);
+      let z = weight::<C>(&mut digest);
      pairs.push((z, self.Rs[i]));
      pairs.push((z * challenge, *key));
    }
@@ -148,13 +108,22 @@ impl<C: Ciphersuite> SchnorrAggregate<C> {

 /// A signature aggregator capable of consuming signatures in order to produce an aggregate.
 #[allow(non_snake_case)]
-#[derive(Clone, Debug, Zeroize)]
-pub struct SchnorrAggregator<C: Ciphersuite> {
+#[derive(Clone, Debug)]
+pub struct SchnorrAggregator<C: GroupIo + WithPreferredHash> {
  digest: DigestTranscript<C::H>,
  sigs: Vec<SchnorrSignature<C>>,
 }
+impl<C: GroupIo + WithPreferredHash> Zeroize for SchnorrAggregator<C>
+where
+  C::H: digest::block_api::BlockSizeUser,
+{
+  fn zeroize(&mut self) {
+    self.digest.zeroize();
+    self.sigs.zeroize();
+  }
+}

-impl<C: Ciphersuite> SchnorrAggregator<C> {
+impl<C: GroupIo + WithPreferredHash> SchnorrAggregator<C> {
  /// Create a new aggregator.
  ///
  /// The DST used here must prevent a collision with whatever hash function produced the
@@ -180,7 +149,7 @@ impl<C: Ciphersuite> SchnorrAggregator<C> {
    let mut aggregate = SchnorrAggregate { Rs: Vec::with_capacity(self.sigs.len()), s: C::F::ZERO };
    for i in 0 .. self.sigs.len() {
      aggregate.Rs.push(self.sigs[i].R);
-      aggregate.s += self.sigs[i].s * weight::<_, C::F>(&mut self.digest);
+      aggregate.s += self.sigs[i].s * weight::<C>(&mut self.digest);
    }
    Some(aggregate)
  }
--- a/crypto/schnorr/src/lib.rs
+++ b/crypto/schnorr/src/lib.rs
@@ -20,7 +20,7 @@ use ciphersuite::{
    ff::{Field, PrimeField},
    Group, GroupEncoding,
  },
-  Ciphersuite,
+  GroupIo,
 };
 use multiexp::{multiexp_vartime, BatchVerifier};

@@ -33,20 +33,20 @@ mod tests;

 /// A Schnorr signature of the form (R, s) where s = r + cx.
 ///
-/// These are intended to be strict. It is generic over Ciphersuite which is for PrimeGroups,
+/// These are intended to be strict. It is generic over `GroupIo` which is for `PrimeGroup`s,
 /// and mandates canonical encodings in its read function.
 ///
-/// RFC 8032 has an alternative verification formula, 8R = 8s - 8cX, which is intended to handle
-/// torsioned nonces/public keys. Due to this library's strict requirements, such signatures will
-/// not be verifiable with this library.
+/// RFC 8032 has an alternative verification formula for Ed25519, `8R = 8s - 8cX`, which is
+/// intended to handle torsioned nonces/public keys. Due to this library's strict requirements,
+/// such signatures will not be verifiable with this library.
 #[allow(non_snake_case)]
 #[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
-pub struct SchnorrSignature<C: Ciphersuite> {
+pub struct SchnorrSignature<C: GroupIo> {
  pub R: C::G,
  pub s: C::F,
 }

-impl<C: Ciphersuite> SchnorrSignature<C> {
+impl<C: GroupIo> SchnorrSignature<C> {
  /// Read a SchnorrSignature from something implementing Read.
  pub fn read<R: Read>(reader: &mut R) -> io::Result<Self> {
    Ok(SchnorrSignature { R: C::read_G(reader)?, s: C::read_F(reader)? })
--- a/crypto/schnorr/src/tests/mod.rs
+++ b/crypto/schnorr/src/tests/mod.rs
@@ -6,7 +6,7 @@ use rand_core::OsRng;
 use dalek_ff_group::Ed25519;
 use ciphersuite::{
  group::{ff::Field, Group},
-  Ciphersuite,
+  GroupIo, WithPreferredHash,
 };
 use multiexp::BatchVerifier;

@@ -16,10 +16,10 @@ use crate::aggregate::{SchnorrAggregator, SchnorrAggregate};

 mod rfc8032;

-pub(crate) fn sign<C: Ciphersuite>() {
-  let private_key = Zeroizing::new(C::random_nonzero_F(&mut OsRng));
-  let nonce = Zeroizing::new(C::random_nonzero_F(&mut OsRng));
-  let challenge = C::random_nonzero_F(&mut OsRng); // Doesn't bother to craft an HRAm
+pub(crate) fn sign<C: GroupIo>() {
+  let private_key = Zeroizing::new(C::F::random(&mut OsRng));
+  let nonce = Zeroizing::new(C::F::random(&mut OsRng));
+  let challenge = C::F::random(&mut OsRng); // Doesn't bother to craft an HRAm
  assert!(SchnorrSignature::<C>::sign(&private_key, nonce, challenge)
    .verify(C::generator() * private_key.deref(), challenge));
 }
@@ -27,22 +27,22 @@ pub(crate) fn sign<C: Ciphersuite>() {
 // The above sign function verifies signing works
 // This verifies invalid signatures don't pass, using zero signatures, which should effectively be
 // random
-pub(crate) fn verify<C: Ciphersuite>() {
+pub(crate) fn verify<C: GroupIo>() {
  assert!(!SchnorrSignature::<C> { R: C::G::identity(), s: C::F::ZERO }
-    .verify(C::generator() * C::random_nonzero_F(&mut OsRng), C::random_nonzero_F(&mut OsRng)));
+    .verify(C::generator() * C::F::random(&mut OsRng), C::F::random(&mut OsRng)));
 }

-pub(crate) fn batch_verify<C: Ciphersuite>() {
+pub(crate) fn batch_verify<C: GroupIo>() {
  // Create 5 signatures
  let mut keys = vec![];
  let mut challenges = vec![];
  let mut sigs = vec![];
  for i in 0 .. 5 {
-    keys.push(Zeroizing::new(C::random_nonzero_F(&mut OsRng)));
-    challenges.push(C::random_nonzero_F(&mut OsRng));
+    keys.push(Zeroizing::new(C::F::random(&mut OsRng)));
+    challenges.push(C::F::random(&mut OsRng));
    sigs.push(SchnorrSignature::<C>::sign(
      &keys[i],
-      Zeroizing::new(C::random_nonzero_F(&mut OsRng)),
+      Zeroizing::new(C::F::random(&mut OsRng)),
      challenges[i],
    ));
  }
@@ -78,7 +78,7 @@ pub(crate) fn batch_verify<C: Ciphersuite>() {
 }

 #[cfg(feature = "aggregate")]
-pub(crate) fn aggregate<C: Ciphersuite>() {
+pub(crate) fn aggregate<C: GroupIo + WithPreferredHash>() {
  const DST: &[u8] = b"Schnorr Aggregator Test";

  // Create 5 signatures
@@ -86,14 +86,14 @@ pub(crate) fn aggregate<C: Ciphersuite>() {
  let mut challenges = vec![];
  let mut aggregator = SchnorrAggregator::<C>::new(DST);
  for i in 0 .. 5 {
-    keys.push(Zeroizing::new(C::random_nonzero_F(&mut OsRng)));
+    keys.push(Zeroizing::new(C::F::random(&mut OsRng)));
    // In practice, this MUST be a secure challenge binding to the nonce, key, and any message
-    challenges.push(C::random_nonzero_F(&mut OsRng));
+    challenges.push(C::F::random(&mut OsRng));
    aggregator.aggregate(
      challenges[i],
      SchnorrSignature::<C>::sign(
        &keys[i],
-        Zeroizing::new(C::random_nonzero_F(&mut OsRng)),
+        Zeroizing::new(C::F::random(&mut OsRng)),
        challenges[i],
      ),
    );
--- a/crypto/schnorr/src/tests/rfc8032.rs
+++ b/crypto/schnorr/src/tests/rfc8032.rs
@@ -6,7 +6,7 @@
 use sha2::{Digest, Sha512};

 use dalek_ff_group::{Scalar, Ed25519};
-use ciphersuite::{group::GroupEncoding, Ciphersuite};
+use ciphersuite::{group::GroupEncoding, GroupIo};

 use crate::SchnorrSignature;