Create dedicated message structures for FROST messages (#140)

* Create message types for FROST key gen

Taking in reader borrows absolutely wasn't feasible. Now, proper types
which can be read (and then passed directly, without a mutable borrow)
exist for key_gen. sign coming next.

* Move FROST signing to messages, not Readers/Writers/Vec<u8>

Also takes the nonce handling code and makes a dedicated file for it, 
aiming to resolve complex types and make the code more legible by 
replacing its previously inlined state.

* clippy

* Update FROST tests

* read_signature_share

* Update the Monero library to the new FROST packages

* Update processor to latest FROST

* Tweaks to terminology and documentation

coins/monero/src/ringct/clsag/multisig.rs

@@ -1,6 +1,6 @@
 use core::fmt::Debug;
 use std::{
-  io::Read,
+  io::{self, Read, Write},
   sync::{Arc, RwLock},
 };
 
@@ -16,20 +16,26 @@ use curve25519_dalek::{
   edwards::EdwardsPoint,
 };
 
-use group::Group;
+use group::{Group, GroupEncoding};
 
 use transcript::{Transcript, RecommendedTranscript};
-use frost::{curve::Ed25519, FrostError, FrostView, algorithm::Algorithm};
 use dalek_ff_group as dfg;
-
-use crate::{
-  frost::{write_dleq, read_dleq},
-  ringct::{
-    hash_to_point,
-    clsag::{ClsagInput, Clsag},
-  },
+use dleq::DLEqProof;
+use frost::{
+  curve::Ed25519,
+  FrostError, FrostView,
+  algorithm::{AddendumSerialize, Algorithm},
 };
 
+use crate::ringct::{
+  hash_to_point,
+  clsag::{ClsagInput, Clsag},
+};
+
+fn dleq_transcript() -> RecommendedTranscript {
+  RecommendedTranscript::new(b"monero_key_image_dleq")
+}
+
 impl ClsagInput {
   fn transcript<T: Transcript>(&self, transcript: &mut T) {
     // Doesn't domain separate as this is considered part of the larger CLSAG proof
@@ -54,7 +60,7 @@ impl ClsagInput {
   }
 }
 
-/// CLSAG Input and the mask to use for it.
+/// CLSAG input and the mask to use for it.
 #[derive(Clone, Debug, Zeroize, ZeroizeOnDrop)]
 pub struct ClsagDetails {
   input: ClsagInput,
@@ -67,6 +73,20 @@ impl ClsagDetails {
   }
 }
 
+/// Addendum produced during the FROST signing process with relevant data.
+#[derive(Clone, PartialEq, Eq, Zeroize, Debug)]
+pub struct ClsagAddendum {
+  pub(crate) key_image: dfg::EdwardsPoint,
+  dleq: DLEqProof<dfg::EdwardsPoint>,
+}
+
+impl AddendumSerialize for ClsagAddendum {
+  fn write<W: Write>(&self, writer: &mut W) -> io::Result<()> {
+    writer.write_all(self.key_image.compress().to_bytes().as_ref())?;
+    self.dleq.serialize(writer)
+  }
+}
+
 #[allow(non_snake_case)]
 #[derive(Clone, PartialEq, Eq, Debug)]
 struct Interim {
@@ -113,10 +133,6 @@ impl ClsagMultisig {
     }
   }
 
-  pub(crate) const fn serialized_len() -> usize {
-    32 + (2 * 32)
-  }
-
   fn input(&self) -> ClsagInput {
     (*self.details.read().unwrap()).as_ref().unwrap().input.clone()
   }
@@ -128,6 +144,7 @@ impl ClsagMultisig {
 
 impl Algorithm<Ed25519> for ClsagMultisig {
   type Transcript = RecommendedTranscript;
+  type Addendum = ClsagAddendum;
   type Signature = (Clsag, EdwardsPoint);
 
   fn nonces(&self) -> Vec<Vec<dfg::EdwardsPoint>> {
@@ -138,18 +155,42 @@ impl Algorithm<Ed25519> for ClsagMultisig {
     &mut self,
     rng: &mut R,
     view: &FrostView<Ed25519>,
-  ) -> Vec<u8> {
-    let mut serialized = Vec::with_capacity(Self::serialized_len());
-    serialized.extend((view.secret_share().0 * self.H).compress().to_bytes());
-    serialized.extend(write_dleq(rng, self.H, view.secret_share().0));
-    serialized
+  ) -> ClsagAddendum {
+    ClsagAddendum {
+      key_image: dfg::EdwardsPoint(self.H * view.secret_share().0),
+      dleq: DLEqProof::prove(
+        rng,
+        // Doesn't take in a larger transcript object due to the usage of this
+        // Every prover would immediately write their own DLEq proof, when they can only do so in
+        // the proper order if they want to reach consensus
+        // It'd be a poor API to have CLSAG define a new transcript solely to pass here, just to
+        // try to merge later in some form, when it should instead just merge xH (as it does)
+        &mut dleq_transcript(),
+        &[dfg::EdwardsPoint::generator(), dfg::EdwardsPoint(self.H)],
+        dfg::Scalar(view.secret_share().0),
+      ),
+    }
   }
 
-  fn process_addendum<Re: Read>(
+  fn read_addendum<R: Read>(&self, reader: &mut R) -> io::Result<ClsagAddendum> {
+    let mut bytes = [0; 32];
+    reader.read_exact(&mut bytes)?;
+    // dfg ensures the point is torsion free
+    let xH = Option::<dfg::EdwardsPoint>::from(dfg::EdwardsPoint::from_bytes(&bytes))
+      .ok_or_else(|| io::Error::new(io::ErrorKind::Other, "invalid key image"))?;
+    // Ensure this is a canonical point
+    if xH.to_bytes() != bytes {
+      Err(io::Error::new(io::ErrorKind::Other, "non-canonical key image"))?;
+    }
+
+    Ok(ClsagAddendum { key_image: xH, dleq: DLEqProof::<dfg::EdwardsPoint>::deserialize(reader)? })
+  }
+
+  fn process_addendum(
     &mut self,
     view: &FrostView<Ed25519>,
     l: u16,
-    serialized: &mut Re,
+    addendum: ClsagAddendum,
   ) -> Result<(), FrostError> {
     if self.image.is_identity() {
       self.transcript.domain_separate(b"CLSAG");
@@ -158,11 +199,20 @@ impl Algorithm<Ed25519> for ClsagMultisig {
     }
 
     self.transcript.append_message(b"participant", &l.to_be_bytes());
-    let image = read_dleq(serialized, self.H, l, view.verification_share(l))
-      .map_err(|_| FrostError::InvalidCommitment(l))?
-      .0;
-    self.transcript.append_message(b"key_image_share", image.compress().to_bytes().as_ref());
-    self.image += image;
+
+    addendum
+      .dleq
+      .verify(
+        &mut dleq_transcript(),
+        &[dfg::EdwardsPoint::generator(), dfg::EdwardsPoint(self.H)],
+        &[view.verification_share(l), addendum.key_image],
+      )
+      .map_err(|_| FrostError::InvalidPreprocess(l))?;
+
+    self
+      .transcript
+      .append_message(b"key_image_share", addendum.key_image.compress().to_bytes().as_ref());
+    self.image += addendum.key_image.0;
 
     Ok(())
   }