absolutebi/serai
1
0
Fork 0
mirror of https://github.com/serai-dex/serai.git synced 2025-12-08 20:29:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Various feature tweaks and updates

Browse Source
This commit is contained in:
Luke Parker
2025-08-29 06:14:25 -04:00
parent 90bc364f9f
commit e2dc5db7aa
25 changed files with 126 additions and 462 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
crypto/dalek-ff-group/Cargo.toml
View File

@@ -17,8 +17,6 @@ rustdoc-args = ["--cfg", "docsrs"]
workspace = true
[dependencies]
rustversion = "1"
zeroize = { version = "^1.5", default-features = false, features = ["zeroize_derive"] }
subtle = { version = "^2.4", default-features = false }
@@ -27,8 +25,7 @@ rand_core = { version = "0.6", default-features = false }
digest = { version = "0.10", default-features = false }
sha2 = { version = "0.11.0-rc.0", default-features = false }
ff = { version = "0.13", default-features = false, features = ["bits"] }
group = { version = "0.13", default-features = false }
prime-field = { path = "../prime-field", default-features = false }
ciphersuite = { version = "0.4.2", path = "../ciphersuite", default-features = false }
crypto-bigint = { version = "0.5", default-features = false, features = ["zeroize"] }
@@ -41,6 +38,6 @@ rand_core = { version = "0.6", default-features = false, features = ["std"] }
ff-group-tests = { path = "../ff-group-tests" }
[features]
alloc = ["zeroize/alloc", "ciphersuite/alloc", "curve25519-dalek/alloc"]
std = ["alloc", "zeroize/std", "subtle/std", "rand_core/std", "digest/std", "ciphersuite/std"]
alloc = ["zeroize/alloc", "digest/alloc", "prime-field/alloc", "ciphersuite/alloc", "curve25519-dalek/alloc"]
std = ["alloc", "zeroize/std", "subtle/std", "rand_core/std", "digest/std", "prime-field/std", "ciphersuite/std"]
default = ["std"]

5
crypto/dalek-ff-group/src/ciphersuite.rs
View File

@@ -2,10 +2,9 @@ use zeroize::Zeroize;
use sha2::Sha512;
use group::Group;
use crate::Scalar;
use ciphersuite::{group::Group, Ciphersuite};
use ciphersuite::Ciphersuite;
use crate::Scalar;
macro_rules! dalek_curve {
(

374
crypto/dalek-ff-group/src/field.rs
View File

@@ -1,374 +0,0 @@
use core::{
ops::{Add, AddAssign, Sub, SubAssign, Neg, Mul, MulAssign},
iter::{Sum, Product},
};
use zeroize::Zeroize;
use rand_core::RngCore;
use subtle::{
Choice, CtOption, ConstantTimeEq, ConstantTimeLess, ConditionallyNegatable,
ConditionallySelectable,
};
use crypto_bigint::{
Integer, NonZero, Encoding, U256, U512,
modular::constant_mod::{ResidueParams, Residue},
impl_modulus,
};
use group::ff::{Field, PrimeField, FieldBits, PrimeFieldBits, FromUniformBytes};
use crate::{u8_from_bool, constant_time, math_op, math};
// 2 ** 255 - 19
// Uses saturating_sub because checked_sub isn't available at compile time
const MODULUS: U256 = U256::from_u8(1).shl_vartime(255).saturating_sub(&U256::from_u8(19));
const WIDE_MODULUS: U512 = U256::ZERO.concat(&MODULUS);
impl_modulus!(
FieldModulus,
U256,
// 2 ** 255 - 19
"7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed"
);
type ResidueType = Residue<FieldModulus, { FieldModulus::LIMBS }>;
/// A constant-time implementation of the Ed25519 field.
#[derive(Clone, Copy, PartialEq, Eq, Default, Debug, Zeroize)]
#[repr(transparent)]
pub struct FieldElement(ResidueType);
// Square root of -1.
// Formula from RFC-8032 (modp_sqrt_m1/sqrt8k5 z)
// 2 ** ((MODULUS - 1) // 4) % MODULUS
const SQRT_M1: FieldElement = FieldElement(
ResidueType::new(&U256::from_u8(2))
.pow(&MODULUS.saturating_sub(&U256::ONE).wrapping_div(&U256::from_u8(4))),
);
// Constant useful in calculating square roots (RFC-8032 sqrt8k5's exponent used to calculate y)
const MOD_3_8: FieldElement = FieldElement(ResidueType::new(
&MODULUS.saturating_add(&U256::from_u8(3)).wrapping_div(&U256::from_u8(8)),
));
// Constant useful in sqrt_ratio_i (sqrt(u / v))
const MOD_5_8: FieldElement = FieldElement(ResidueType::sub(&MOD_3_8.0, &ResidueType::ONE));
fn reduce(x: U512) -> ResidueType {
ResidueType::new(&U256::from_le_slice(
&x.rem(&NonZero::new(WIDE_MODULUS).unwrap()).to_le_bytes()[.. 32],
))
}
constant_time!(FieldElement, ResidueType);
math!(
FieldElement,
FieldElement,
|x: ResidueType, y: ResidueType| x.add(&y),
|x: ResidueType, y: ResidueType| x.sub(&y),
|x: ResidueType, y: ResidueType| x.mul(&y)
);
macro_rules! from_wrapper {
($uint: ident) => {
impl From<$uint> for FieldElement {
fn from(a: $uint) -> FieldElement {
Self(ResidueType::new(&U256::from(a)))
}
}
};
}
from_wrapper!(u8);
from_wrapper!(u16);
from_wrapper!(u32);
from_wrapper!(u64);
from_wrapper!(u128);
impl Neg for FieldElement {
type Output = Self;
fn neg(self) -> Self::Output {
Self(self.0.neg())
}
}
impl Neg for &FieldElement {
type Output = FieldElement;
fn neg(self) -> Self::Output {
(*self).neg()
}
}
impl Field for FieldElement {
const ZERO: Self = Self(ResidueType::ZERO);
const ONE: Self = Self(ResidueType::ONE);
fn random(mut rng: impl RngCore) -> Self {
let mut bytes = [0; 64];
rng.fill_bytes(&mut bytes);
FieldElement(reduce(U512::from_le_bytes(bytes)))
}
fn square(&self) -> Self {
FieldElement(self.0.square())
}
fn double(&self) -> Self {
FieldElement(self.0.add(&self.0))
}
fn invert(&self) -> CtOption<Self> {
const NEG_2: FieldElement =
FieldElement(ResidueType::new(&MODULUS.saturating_sub(&U256::from_u8(2))));
CtOption::new(self.pow(NEG_2), !self.is_zero())
}
// RFC-8032 sqrt8k5
fn sqrt(&self) -> CtOption<Self> {
let tv1 = self.pow(MOD_3_8);
let tv2 = tv1 * SQRT_M1;
let candidate = Self::conditional_select(&tv2, &tv1, tv1.square().ct_eq(self));
CtOption::new(candidate, candidate.square().ct_eq(self))
}
fn sqrt_ratio(u: &FieldElement, v: &FieldElement) -> (Choice, FieldElement) {
let i = SQRT_M1;
let u = *u;
let v = *v;
let v3 = v.square() * v;
let v7 = v3.square() * v;
let mut r = (u * v3) * (u * v7).pow(MOD_5_8);
let check = v * r.square();
let correct_sign = check.ct_eq(&u);
let flipped_sign = check.ct_eq(&(-u));
let flipped_sign_i = check.ct_eq(&((-u) * i));
r.conditional_assign(&(r * i), flipped_sign | flipped_sign_i);
let r_is_negative = r.is_odd();
r.conditional_negate(r_is_negative);
(correct_sign | flipped_sign, r)
}
}
impl PrimeField for FieldElement {
type Repr = [u8; 32];
// Big endian representation of the modulus
const MODULUS: &'static str = "7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed";
const NUM_BITS: u32 = 255;
const CAPACITY: u32 = 254;
const TWO_INV: Self = FieldElement(ResidueType::new(&U256::from_u8(2)).invert().0);
// This was calculated with the method from the ff crate docs
// SageMath GF(modulus).primitive_element()
const MULTIPLICATIVE_GENERATOR: Self = Self(ResidueType::new(&U256::from_u8(2)));
// This was set per the specification in the ff crate docs
// The number of leading zero bits in the little-endian bit representation of (modulus - 1)
const S: u32 = 2;
// This was calculated via the formula from the ff crate docs
// Self::MULTIPLICATIVE_GENERATOR ** ((modulus - 1) >> Self::S)
const ROOT_OF_UNITY: Self = FieldElement(ResidueType::new(&U256::from_be_hex(
"2b8324804fc1df0b2b4d00993dfbd7a72f431806ad2fe478c4ee1b274a0ea0b0",
)));
// Self::ROOT_OF_UNITY.invert()
const ROOT_OF_UNITY_INV: Self = FieldElement(Self::ROOT_OF_UNITY.0.invert().0);
// This was calculated via the formula from the ff crate docs
// Self::MULTIPLICATIVE_GENERATOR ** (2 ** Self::S)
const DELTA: Self = FieldElement(ResidueType::new(&U256::from_be_hex(
"0000000000000000000000000000000000000000000000000000000000000010",
)));
fn from_repr(bytes: [u8; 32]) -> CtOption<Self> {
let res = U256::from_le_bytes(bytes);
CtOption::new(Self(ResidueType::new(&res)), res.ct_lt(&MODULUS))
}
fn to_repr(&self) -> [u8; 32] {
self.0.retrieve().to_le_bytes()
}
fn is_odd(&self) -> Choice {
self.0.retrieve().is_odd()
}
fn from_u128(num: u128) -> Self {
Self::from(num)
}
}
impl PrimeFieldBits for FieldElement {
type ReprBits = [u8; 32];
fn to_le_bits(&self) -> FieldBits<Self::ReprBits> {
self.to_repr().into()
}
fn char_le_bits() -> FieldBits<Self::ReprBits> {
MODULUS.to_le_bytes().into()
}
}
impl FieldElement {
/// Create a FieldElement from a `crypto_bigint::U256`.
///
/// This will reduce the `U256` by the modulus, into a member of the field.
pub const fn from_u256(u256: &U256) -> Self {
FieldElement(Residue::new(u256))
}
/// Create a `FieldElement` from the reduction of a 512-bit number.
///
/// The bytes are interpreted in little-endian format.
pub fn wide_reduce(value: [u8; 64]) -> Self {
FieldElement(reduce(U512::from_le_bytes(value)))
}
/// Perform an exponentiation.
pub fn pow(&self, other: FieldElement) -> FieldElement {
let mut table = [FieldElement::ONE; 16];
table[1] = *self;
for i in 2 .. 16 {
table[i] = table[i - 1] * self;
}
let mut res = FieldElement::ONE;
let mut bits = 0;
for (i, mut bit) in other.to_le_bits().iter_mut().rev().enumerate() {
bits <<= 1;
let mut bit = u8_from_bool(&mut bit);
bits |= bit;
bit.zeroize();
if ((i + 1) % 4) == 0 {
if i != 3 {
for _ in 0 .. 4 {
res *= res;
}
}
let mut scale_by = FieldElement::ONE;
#[allow(clippy::needless_range_loop)]
for i in 0 .. 16 {
#[allow(clippy::cast_possible_truncation)] // Safe since 0 .. 16
{
scale_by = <_>::conditional_select(&scale_by, &table[i], bits.ct_eq(&(i as u8)));
}
}
res *= scale_by;
bits = 0;
}
}
res
}
/// The square root of u/v, as used for Ed25519 point decoding (RFC 8032 5.1.3) and within
/// Ristretto (5.1 Extracting an Inverse Square Root).
///
/// The result is only a valid square root if the Choice is true.
/// RFC 8032 simply fails if there isn't a square root, leaving any return value undefined.
/// Ristretto explicitly returns 0 or sqrt((SQRT_M1 * u) / v).
pub fn sqrt_ratio_i(u: FieldElement, v: FieldElement) -> (Choice, FieldElement) {
let i = SQRT_M1;
let v3 = v.square() * v;
let v7 = v3.square() * v;
// Candidate root
let mut r = (u * v3) * (u * v7).pow(MOD_5_8);
// 8032 3.1
let check = v * r.square();
let correct_sign = check.ct_eq(&u);
// 8032 3.2 conditional
let neg_u = -u;
let flipped_sign = check.ct_eq(&neg_u);
// Ristretto Step 5
let flipped_sign_i = check.ct_eq(&(neg_u * i));
// 3.2 set
r.conditional_assign(&(r * i), flipped_sign | flipped_sign_i);
// Always return the even root, per Ristretto
// This doesn't break Ed25519 point decoding as that doesn't expect these steps to return a
// specific root
// Ed25519 points include a dedicated sign bit to determine which root to use, so at worst
// this is a pointless inefficiency
r.conditional_negate(r.is_odd());
(correct_sign | flipped_sign, r)
}
}
impl FromUniformBytes<64> for FieldElement {
fn from_uniform_bytes(bytes: &[u8; 64]) -> Self {
Self::wide_reduce(*bytes)
}
}
impl Sum<FieldElement> for FieldElement {
fn sum<I: Iterator<Item = FieldElement>>(iter: I) -> FieldElement {
let mut res = FieldElement::ZERO;
for item in iter {
res += item;
}
res
}
}
impl<'a> Sum<&'a FieldElement> for FieldElement {
fn sum<I: Iterator<Item = &'a FieldElement>>(iter: I) -> FieldElement {
iter.copied().sum()
}
}
impl Product<FieldElement> for FieldElement {
fn product<I: Iterator<Item = FieldElement>>(iter: I) -> FieldElement {
let mut res = FieldElement::ONE;
for item in iter {
res *= item;
}
res
}
}
impl<'a> Product<&'a FieldElement> for FieldElement {
fn product<I: Iterator<Item = &'a FieldElement>>(iter: I) -> FieldElement {
iter.copied().product()
}
}
#[test]
fn test_wide_modulus() {
let mut wide = [0; 64];
wide[.. 32].copy_from_slice(&MODULUS.to_le_bytes());
assert_eq!(wide, WIDE_MODULUS.to_le_bytes());
}
#[test]
fn test_sqrt_m1() {
// Test equivalence against the known constant value
const SQRT_M1_MAGIC: U256 =
U256::from_be_hex("2b8324804fc1df0b2b4d00993dfbd7a72f431806ad2fe478c4ee1b274a0ea0b0");
assert_eq!(SQRT_M1.0.retrieve(), SQRT_M1_MAGIC);
// Also test equivalence against the result of the formula from RFC-8032 (modp_sqrt_m1/sqrt8k5 z)
// 2 ** ((MODULUS - 1) // 4) % MODULUS
assert_eq!(
SQRT_M1,
FieldElement::from(2u8).pow(FieldElement(ResidueType::new(
&(FieldElement::ZERO - FieldElement::ONE).0.retrieve().wrapping_div(&U256::from(4u8))
)))
);
}
#[test]
fn test_field() {
ff_group_tests::prime_field::test_prime_field_bits::<_, FieldElement>(&mut rand_core::OsRng);
}

48
crypto/dalek-ff-group/src/lib.rs
View File

@@ -29,33 +29,16 @@ use dalek::{
};
pub use constants::{ED25519_BASEPOINT_TABLE, RISTRETTO_BASEPOINT_TABLE};
use group::{
use ::ciphersuite::group::{
ff::{Field, PrimeField, FieldBits, PrimeFieldBits, FromUniformBytes},
Group, GroupEncoding,
prime::PrimeGroup,
};
mod field;
pub use field::FieldElement;
mod ciphersuite;
pub use crate::ciphersuite::{Ed25519, Ristretto};
// Use black_box when possible
#[rustversion::since(1.66)]
mod black_box {
pub(crate) fn black_box<T>(val: T) -> T {
#[allow(clippy::incompatible_msrv)]
core::hint::black_box(val)
}
}
#[rustversion::before(1.66)]
mod black_box {
pub(crate) fn black_box<T>(val: T) -> T {
val
}
}
use black_box::black_box;
use core::hint::black_box;
fn u8_from_bool(bit_ref: &mut bool) -> u8 {
let bit_ref = black_box(bit_ref);
@@ -502,3 +485,30 @@ fn test_ed25519_group() {
fn test_ristretto_group() {
ff_group_tests::group::test_prime_group_bits::<_, RistrettoPoint>(&mut rand_core::OsRng);
}
type ThirtyTwoArray = [u8; 32];
prime_field::odd_prime_field_with_specific_repr!(
FieldElement,
"0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed",
"02",
false,
crate::ThirtyTwoArray
);
impl FieldElement {
/// Create a FieldElement from a `crypto_bigint::U256`.
///
/// This will reduce the `U256` by the modulus, into a member of the field.
#[deprecated]
pub const fn from_u256(u256: &crypto_bigint::U256) -> Self {
FieldElement::from(&prime_field::crypto_bigint::U256::from_words(*u256.as_words()))
}
/// Create a `FieldElement` from the reduction of a 512-bit number.
///
/// The bytes are interpreted in little-endian format.
#[deprecated]
pub fn wide_reduce(value: [u8; 64]) -> Self {
<FieldElement as ::ciphersuite::group::ff::FromUniformBytes<_>>::from_uniform_bytes(&value)
}
}