Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519

2025-12-13 22:49:25 +00:00 · 2024-07-28 15:20:52 -04:00
parent 681010f422
commit a6775d7dc5
13 changed files with 118 additions and 17 deletions
--- a/crypto/evrf/embedwards25519/Cargo.toml
+++ b/crypto/evrf/embedwards25519/Cargo.toml
@@ -21,14 +21,15 @@ rand_core = { version = "0.6", default-features = false, features = ["std"] }
 zeroize = { version = "^1.5", default-features = false, features = ["std", "zeroize_derive"] }
 subtle = { version = "^2.4", default-features = false, features = ["std"] }

-ff = { version = "0.13", default-features = false, features = ["std", "bits"] }
-group = { version = "0.13", default-features = false }
-
+generic-array = { version = "0.14", default-features = false }
 crypto-bigint = { version = "0.5", default-features = false, features = ["zeroize"] }

 dalek-ff-group = { path = "../../dalek-ff-group", version = "0.4", default-features = false }

+blake2 = { version = "0.10", default-features = false, features = ["std"] }
+ciphersuite = { path = "../../ciphersuite", version = "0.4", default-features = false, features = ["std"] }
 ec-divisors = { path = "../divisors" }
+generalized-bulletproofs-ec-gadgets = { path = "../ec-gadgets" }

 [dev-dependencies]
 hex = "0.4"
--- a/crypto/evrf/embedwards25519/src/backend.rs
+++ b/crypto/evrf/embedwards25519/src/backend.rs
@@ -90,7 +90,9 @@ macro_rules! field {

    use crypto_bigint::{Integer, NonZero, Encoding, impl_modulus};

-    use ff::{Field, PrimeField, FieldBits, PrimeFieldBits, helpers::sqrt_ratio_generic};
+    use ciphersuite::group::ff::{
+      Field, PrimeField, FieldBits, PrimeFieldBits, helpers::sqrt_ratio_generic,
+    };

    use $crate::backend::u8_from_bool;

--- a/crypto/evrf/embedwards25519/src/lib.rs
+++ b/crypto/evrf/embedwards25519/src/lib.rs
@@ -1,6 +1,9 @@
 #![cfg_attr(docsrs, feature(doc_auto_cfg))]
 #![doc = include_str!("../README.md")]

+use generic_array::typenum::{Sum, Diff, Quot, U, U1, U2};
+use ciphersuite::group::{ff::PrimeField, Group};
+
 #[macro_use]
 mod backend;

@@ -11,3 +14,34 @@ pub use dalek_ff_group::Scalar as FieldElement;

 mod point;
 pub use point::Point;
+
+/// Ciphersuite for Embedwards25519.
+///
+/// hash_to_F is implemented with a naive concatenation of the dst and data, allowing transposition
+/// between the two. This means `dst: b"abc", data: b"def"`, will produce the same scalar as
+/// `dst: "abcdef", data: b""`. Please use carefully, not letting dsts be substrings of each other.
+#[derive(Clone, Copy, PartialEq, Eq, Debug, zeroize::Zeroize)]
+pub struct Embedwards25519;
+impl ciphersuite::Ciphersuite for Embedwards25519 {
+  type F = Scalar;
+  type G = Point;
+  type H = blake2::Blake2b512;
+
+  const ID: &'static [u8] = b"embedwards25519";
+
+  fn generator() -> Self::G {
+    Point::generator()
+  }
+
+  fn hash_to_F(dst: &[u8], data: &[u8]) -> Self::F {
+    use blake2::Digest;
+    Scalar::wide_reduce(Self::H::digest([dst, data].concat()).as_slice().try_into().unwrap())
+  }
+}
+
+impl generalized_bulletproofs_ec_gadgets::DiscreteLogParameters for Embedwards25519 {
+  type ScalarBits = U<{ Scalar::NUM_BITS as usize }>;
+  type XCoefficients = Quot<Sum<Self::ScalarBits, U1>, U2>;
+  type XCoefficientsMinusOne = Diff<Self::XCoefficients, U1>;
+  type YxCoefficients = Diff<Quot<Sum<Self::ScalarBits, U1>, U2>, U2>;
+}
--- a/crypto/evrf/embedwards25519/src/point.rs
+++ b/crypto/evrf/embedwards25519/src/point.rs
@@ -8,7 +8,7 @@ use rand_core::RngCore;
 use zeroize::Zeroize;
 use subtle::{Choice, CtOption, ConstantTimeEq, ConditionallySelectable};

-use group::{
+use ciphersuite::group::{
  ff::{Field, PrimeField, PrimeFieldBits},
  Group, GroupEncoding,
  prime::PrimeGroup,