absolutebi/serai
1
0
Fork 0
mirror of https://github.com/serai-dex/serai.git synced 2025-12-08 20:29:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
28dbef8a1cd5003734a5669b2fb60e5dcccb954d
serai/crypto/dkg/evrf
History
Luke Parker a141deaf36 Smash the singular Ciphersuite trait into multiple 
This helps identify where the various functionalities are used, or rather, not
used. The `Ciphersuite` trait present in `patches/ciphersuite`, facilitating
the entire FCMP++ tree, only requires the markers _and_ canonical point
decoding. I've opened a PR to upstream such a trait into `group`
(https://github.com/zkcrypto/group/pull/68).

`WrappedGroup` is still justified for as long as `Group::generator` exists.
Moving `::generator()` to its own trait, on an independent structure (upstream)
would be massively appreciated. @tarcieri also wanted to update from
`fn generator()` to `const GENERATOR`, which would encourage further discussion
on https://github.com/zkcrypto/group/issues/32 and
https://github.com/zkcrypto/group/issues/45, which have been stagnant.

The `Id` trait is occasionally used yet really should be first off the chopping
block.

Finally, `WithPreferredHash` is only actually used around a third of the time,
which more than justifies it being a separate trait.

---

Updates `dalek_ff_group::Scalar` to directly re-export
`curve25519_dalek::Scalar`, as without issue. `dalek_ff_group::RistrettoPoint`
also could be replaced with an export of `curve25519_dalek::RistrettoPoint`,
yet the coordinator relies on how we implemented `Hash` on it for the hell of
it so it isn't worth it at this time. `dalek_ff_group::EdwardsPoint` can't be
replaced for an re-export of `curve25519_dalek::SubgroupPoint` as it doesn't
implement `zeroize`, `subtle` traits within a released, non-yanked version.
Relevance to https://github.com/serai-dex/serai/issues/201 and
https://github.com/dalek-cryptography/curve25519-dalek/issues/811#issuecomment-3247732746.

Also updates the `Ristretto` ciphersuite to prefer `Blake2b-512` over
`SHA2-512`. In order to maintain compliance with FROST's IETF standard,
`modular-frost` defines its own ciphersuite for Ristretto which still uses
`SHA2-512`.
2025-09-03 13:50:20 -04:00
..
src
Smash the singular Ciphersuite trait into multiple
2025-09-03 13:50:20 -04:00
Cargo.toml
Smash the singular Ciphersuite trait into multiple
2025-09-03 13:50:20 -04:00
LICENSE
Update licenses
2025-08-25 10:06:35 -04:00
README.md
dkg-evrf crate
2025-08-25 04:49:54 -04:00

README.md

eVRF DKG

The DKG from the eVRF paper, extended with Verifiable Encryption premised on the same methodology present in the eVRF paper.

The DDH-premised VRF is used, yet the different instantiation presented in section 6.4 premised on elliptic curve divisors. The one-round threshold DKG presented in section 4.2 is extended, with the following changes:

  • Any threshold of t participants may complete the DKG. This allows an adversary to bias the resulting key by choosing the set of participants, yet offers a robust protocol. The caller is able to choose between robustness and a lack of bias by completing the DKG with just t messages or by waiting for all n. If the caller does opt for robustness, the caller must ensure participants agree on the subset of participants who actually participated.

  • Communication of shares was prior defined as simply sending the share to the relevant participant, with no description of the channel. Now, a pair of ECDHs are performed on the embedded curve occurs (between the sender and the recipient's public key), whose x coordinates are summed for a random, uniform value (as an eVRF would). This value is used as a mask to encrypt the communicated secret share, with the zero-knowledge proof proving it's well-formed. This removes the need for a complaint round from the protocol, allowing it to truly complete (with all recipients holding valid shares) in just one round.

For a gist of the verifiable encryption scheme, please see https://gist.github.com/kayabaNerve/cfbde74b0660dfdf8dd55326d6ec33d7. Security proofs are currently being worked on.

This library relies on an implementation of Bulletproofs and various zero-knowledge gadgets. This library uses generalized-bulletproofs, generalized-bulletproofs-circuit-abstraction, and generalized-bulletproofs-ec-gadgets from the Monero project's FCMP++ codebase. These libraries have received the following audits in the past:

This library supports being run in no-std contexts with alloc when the std feature (on by default) is disabled. Due to the intensity of the ZK proofs, this isn't recommended, yet may be justified when verifying posted proofs are correct.

Reference in New Issue View Git Blame Copy Permalink