* WIP constant-time implementation of the ec-divisors library
* Fix misc logic errors in poly.rs
* Remove accidentally committed test statements
* Fix ConstantTimeEq for CoefficientIndex
* Correct the iterations formula
x**3 / (0 y + x**1) would prior be considered indivisible with iterations = 0.
It is divisible however. The amount of iterations should be the amount of
coefficients within the numerator *excluding the coefficient for y**0 x**0*.
* Poly PartialEq, conditional_select_poly which checks poly structure equivalence
If the first passed argument is smaller than the latter, it's padded to the
necessary length.
Also adds code to trim the remainder as the remainder is the value modulo, so
it's very important it remains concise and workable.
* Fix the line function
It selected the case if both were identity before selecting the case if either
were identity, the latter overwriting the former.
* Final fixes re: ct_get
1) Our quotient structure does need to be of size equal to the numerator
entirely to prevent out-of-bounds reads on it
2) We need to get from yx_coefficients if of length >=, so if the length is 1
we can read y_pow=1 from it. If y_pow=0, and its length is 0 so it has no
inner Vecs, we need to fall back with the guard y_pow != 0.
* Add a trim algorithm to lib.rs to prevent Polys from becoming unbearably gigantic
Our Poly algorithm is incredibly leaky. While it presumably should be improved,
we can take advantage of our known structure while constructing divisors (and
the small modulus) to simply trim out the zero coefficients leaked. This
maintains Polys in a manageable size.
* Move constant-time scalar mul gadget divisor creation from dkg to ec-divisors
Anyone creating a divisor for the scalar mul gadget should use constant time
code, so this code should at least be in the EC gadgets crate It's of
non-trivial complexity to deal with otherwise.
* Remove unsafe, cache timing attacks from ec-divisors
monero-wallet ships an Eventuality, yet it's across the entire transaction. It
can't prove a single output's state with a traditional payment proof. By adding
this new object, another library can obtain the ephemeral randomness used and
do any/every proof they want regarding a transaction's outputs.
Necessary for https://github.com/serai-dex/serai/issues/599.
This technically has a TOCTOU where we sync an Epoch's metadata (signifying we
did sync to that point), then check if the Router was deployed, yet at that
very moment the node resets to genesis. By ensuring the Router is deployed, we
avoid this (and don't need to track the deployment block in-contract).
Also uses a JoinSet to sync the 32 blocks in parallel.
The caller is paid a fixed fee per unit of gas spent. That arguably
incentivizes the publisher to raise the gas used by internal calls, yet this
doesn't effect the user UX as they'll have flatly paid the worst-case fee
already. It does pose a risk where callers are arguably incentivized to cause
transaction failures which consume all the gas, not just increased gas, yet:
1) Modern smart contracts don't error by consuming all the gas
2) This is presumably infeasible
3) Even if it was feasible, the gas fees gained presumably exceed the gas fees
spent causing the failure
The benefit to only paying the callers for the gas used, not the gas alotted,
is it allows Serai to build up a buffer. While this should be minor, a few
cents on every transaction at best, if we ever do have any costs slip through
the cracks, it ideally is sufficient to handle those.
