mirror of
https://github.com/serai-dex/serai.git
synced 2025-12-11 13:39:25 +00:00
a141deaf36
This helps identify where the various functionalities are used, or rather, not used. The `Ciphersuite` trait present in `patches/ciphersuite`, facilitating the entire FCMP++ tree, only requires the markers _and_ canonical point decoding. I've opened a PR to upstream such a trait into `group` (https://github.com/zkcrypto/group/pull/68). `WrappedGroup` is still justified for as long as `Group::generator` exists. Moving `::generator()` to its own trait, on an independent structure (upstream) would be massively appreciated. @tarcieri also wanted to update from `fn generator()` to `const GENERATOR`, which would encourage further discussion on https://github.com/zkcrypto/group/issues/32 and https://github.com/zkcrypto/group/issues/45, which have been stagnant. The `Id` trait is occasionally used yet really should be first off the chopping block. Finally, `WithPreferredHash` is only actually used around a third of the time, which more than justifies it being a separate trait. --- Updates `dalek_ff_group::Scalar` to directly re-export `curve25519_dalek::Scalar`, as without issue. `dalek_ff_group::RistrettoPoint` also could be replaced with an export of `curve25519_dalek::RistrettoPoint`, yet the coordinator relies on how we implemented `Hash` on it for the hell of it so it isn't worth it at this time. `dalek_ff_group::EdwardsPoint` can't be replaced for an re-export of `curve25519_dalek::SubgroupPoint` as it doesn't implement `zeroize`, `subtle` traits within a released, non-yanked version. Relevance to https://github.com/serai-dex/serai/issues/201 and https://github.com/dalek-cryptography/curve25519-dalek/issues/811#issuecomment-3247732746. Also updates the `Ristretto` ciphersuite to prefer `Blake2b-512` over `SHA2-512`. In order to maintain compliance with FROST's IETF standard, `modular-frost` defines its own ciphersuite for Ristretto which still uses `SHA2-512`.
157 lines
4.7 KiB
Rust
157 lines
4.7 KiB
Rust
use std_shims::{
|
|
vec::Vec,
|
|
io::{self, Read, Write},
|
|
};
|
|
|
|
use zeroize::Zeroize;
|
|
|
|
use transcript::{Transcript, DigestTranscript};
|
|
|
|
use ciphersuite::{
|
|
group::{
|
|
ff::{Field, PrimeField},
|
|
Group, GroupEncoding,
|
|
},
|
|
FromUniformBytes, GroupIo, WithPreferredHash,
|
|
};
|
|
use multiexp::multiexp_vartime;
|
|
|
|
use crate::SchnorrSignature;
|
|
|
|
// Returns a unbiased scalar weight to use on a signature in order to prevent malleability
|
|
fn weight<C: WithPreferredHash>(digest: &mut DigestTranscript<C::H>) -> C::F {
|
|
let bytes = digest.challenge(b"aggregation_weight");
|
|
C::F::from_uniform_bytes(&bytes.into())
|
|
}
|
|
|
|
/// Aggregate Schnorr signature as defined in <https://eprint.iacr.org/2021/350>.
|
|
#[allow(non_snake_case)]
|
|
#[derive(Clone, PartialEq, Eq, Debug, Zeroize)]
|
|
pub struct SchnorrAggregate<C: GroupIo + WithPreferredHash> {
|
|
Rs: Vec<C::G>,
|
|
s: C::F,
|
|
}
|
|
|
|
impl<C: GroupIo + WithPreferredHash> SchnorrAggregate<C> {
|
|
/// Read a SchnorrAggregate from something implementing Read.
|
|
pub fn read<R: Read>(reader: &mut R) -> io::Result<Self> {
|
|
let mut len = [0; 4];
|
|
reader.read_exact(&mut len)?;
|
|
|
|
#[allow(non_snake_case)]
|
|
let mut Rs = vec![];
|
|
for _ in 0 .. u32::from_le_bytes(len) {
|
|
Rs.push(C::read_G(reader)?);
|
|
}
|
|
|
|
Ok(SchnorrAggregate { Rs, s: C::read_F(reader)? })
|
|
}
|
|
|
|
/// Write a SchnorrAggregate to something implementing Write.
|
|
///
|
|
/// This will panic if more than 4 billion signatures were aggregated.
|
|
pub fn write<W: Write>(&self, writer: &mut W) -> io::Result<()> {
|
|
writer.write_all(
|
|
&u32::try_from(self.Rs.len())
|
|
.expect("more than 4 billion signatures in aggregate")
|
|
.to_le_bytes(),
|
|
)?;
|
|
#[allow(non_snake_case)]
|
|
for R in &self.Rs {
|
|
writer.write_all(R.to_bytes().as_ref())?;
|
|
}
|
|
writer.write_all(self.s.to_repr().as_ref())
|
|
}
|
|
|
|
/// Serialize a SchnorrAggregate, returning a `Vec<u8>`.
|
|
pub fn serialize(&self) -> Vec<u8> {
|
|
let mut buf = vec![];
|
|
self.write(&mut buf).unwrap();
|
|
buf
|
|
}
|
|
|
|
#[allow(non_snake_case)]
|
|
pub fn Rs(&self) -> &[C::G] {
|
|
self.Rs.as_slice()
|
|
}
|
|
|
|
/// Perform signature verification.
|
|
///
|
|
/// Challenges must be properly crafted, which means being binding to the public key, nonce, and
|
|
/// any message. Failure to do so will let a malicious adversary to forge signatures for
|
|
/// different keys/messages.
|
|
///
|
|
/// The DST used here must prevent a collision with whatever hash function produced the
|
|
/// challenges.
|
|
#[must_use]
|
|
pub fn verify(&self, dst: &'static [u8], keys_and_challenges: &[(C::G, C::F)]) -> bool {
|
|
if self.Rs.len() != keys_and_challenges.len() {
|
|
return false;
|
|
}
|
|
|
|
let mut digest = DigestTranscript::<C::H>::new(dst);
|
|
digest.domain_separate(b"signatures");
|
|
for (_, challenge) in keys_and_challenges {
|
|
digest.append_message(b"challenge", challenge.to_repr());
|
|
}
|
|
|
|
let mut pairs = Vec::with_capacity((2 * keys_and_challenges.len()) + 1);
|
|
for (i, (key, challenge)) in keys_and_challenges.iter().enumerate() {
|
|
let z = weight::<C>(&mut digest);
|
|
pairs.push((z, self.Rs[i]));
|
|
pairs.push((z * challenge, *key));
|
|
}
|
|
pairs.push((-self.s, C::generator()));
|
|
multiexp_vartime(&pairs).is_identity().into()
|
|
}
|
|
}
|
|
|
|
/// A signature aggregator capable of consuming signatures in order to produce an aggregate.
|
|
#[allow(non_snake_case)]
|
|
#[derive(Clone, Debug)]
|
|
pub struct SchnorrAggregator<C: GroupIo + WithPreferredHash> {
|
|
digest: DigestTranscript<C::H>,
|
|
sigs: Vec<SchnorrSignature<C>>,
|
|
}
|
|
impl<C: GroupIo + WithPreferredHash> Zeroize for SchnorrAggregator<C>
|
|
where
|
|
C::H: digest::block_api::BlockSizeUser,
|
|
{
|
|
fn zeroize(&mut self) {
|
|
self.digest.zeroize();
|
|
self.sigs.zeroize();
|
|
}
|
|
}
|
|
|
|
impl<C: GroupIo + WithPreferredHash> SchnorrAggregator<C> {
|
|
/// Create a new aggregator.
|
|
///
|
|
/// The DST used here must prevent a collision with whatever hash function produced the
|
|
/// challenges.
|
|
pub fn new(dst: &'static [u8]) -> Self {
|
|
let mut res = Self { digest: DigestTranscript::<C::H>::new(dst), sigs: vec![] };
|
|
res.digest.domain_separate(b"signatures");
|
|
res
|
|
}
|
|
|
|
/// Aggregate a signature.
|
|
pub fn aggregate(&mut self, challenge: C::F, sig: SchnorrSignature<C>) {
|
|
self.digest.append_message(b"challenge", challenge.to_repr());
|
|
self.sigs.push(sig);
|
|
}
|
|
|
|
/// Complete aggregation, returning None if none were aggregated.
|
|
pub fn complete(mut self) -> Option<SchnorrAggregate<C>> {
|
|
if self.sigs.is_empty() {
|
|
return None;
|
|
}
|
|
|
|
let mut aggregate = SchnorrAggregate { Rs: Vec::with_capacity(self.sigs.len()), s: C::F::ZERO };
|
|
for i in 0 .. self.sigs.len() {
|
|
aggregate.Rs.push(self.sigs[i].R);
|
|
aggregate.s += self.sigs[i].s * weight::<C>(&mut self.digest);
|
|
}
|
|
Some(aggregate)
|
|
}
|
|
}
|