reddsa/src/lib.rs

// -*- mode: rust; -*-
//
// This file is part of reddsa.
// Copyright (c) 2019-2021 Zcash Foundation
// See LICENSE for licensing information.
//
// Authors:
// - Deirdre Connolly <deirdre@zfnd.org>
// - Henry de Valence <hdevalence@hdevalence.ca>

#![deny(missing_docs)]
#![doc = include_str!("../README.md")]

pub mod batch;
mod constants;
mod error;
pub mod frost;
mod hash;
mod messages;
mod scalar_mul;
pub(crate) mod signature;
mod signing_key;
mod verification_key;

/// An element of the JubJub scalar field used for randomization of public and secret keys.
pub type Randomizer = jubjub::Scalar;

use hash::HStar;

pub use error::Error;
pub use signature::Signature;
pub use signing_key::SigningKey;
pub use verification_key::{VerificationKey, VerificationKeyBytes};

/// Abstracts over different RedJubJub parameter choices, [`Binding`]
/// and [`SpendAuth`].
///
/// As described [at the end of §5.4.6][concretereddsa] of the Zcash
/// protocol specification, the generator used in RedJubjub is left as
/// an unspecified parameter, chosen differently for each of
/// `BindingSig` and `SpendAuthSig`.
///
/// To handle this, we encode the parameter choice as a genuine type
/// parameter.
///
/// [concretereddsa]: https://zips.z.cash/protocol/protocol.pdf#concretereddsa
pub trait SigType: private::Sealed {}

/// A type variable corresponding to Zcash's `BindingSig`.
#[derive(Copy, Clone, PartialEq, Eq, Debug)]
pub enum Binding {}
impl SigType for Binding {}

/// A type variable corresponding to Zcash's `SpendAuthSig`.
#[derive(Copy, Clone, PartialEq, Eq, Debug)]
pub enum SpendAuth {}
impl SigType for SpendAuth {}

pub(crate) mod private {
    use super::*;
    pub trait Sealed: Copy + Clone + Eq + PartialEq + std::fmt::Debug {
        fn basepoint() -> jubjub::ExtendedPoint;
    }
    impl Sealed for Binding {
        fn basepoint() -> jubjub::ExtendedPoint {
            jubjub::AffinePoint::from_bytes(constants::BINDINGSIG_BASEPOINT_BYTES)
                .unwrap()
                .into()
        }
    }
    impl Sealed for SpendAuth {
        fn basepoint() -> jubjub::ExtendedPoint {
            jubjub::AffinePoint::from_bytes(constants::SPENDAUTHSIG_BASEPOINT_BYTES)
                .unwrap()
                .into()
        }
    }
}
Frost keygen with dealer (#47) Implements FROST (Flexible Round Optimized Schnorr Threshold Signatures, https://eprint.iacr.org/2020/852) where key generation is performed by a trusted dealer. Future work will include implementing distributed key generation and re-randomizability. Co-authored-by: Chelsea Komlo <me@chelseakomlo.com> Co-authored-by: Isis Lovecruft <isis@patternsinthevoid.net> 2021-02-25 08:06:54 -08:00			`// -- mode: rust; --`
			`//`
Rename crate to reddsa 2021-03-01 06:38:25 -08:00			`// This file is part of reddsa.`
Frost keygen with dealer (#47) Implements FROST (Flexible Round Optimized Schnorr Threshold Signatures, https://eprint.iacr.org/2020/852) where key generation is performed by a trusted dealer. Future work will include implementing distributed key generation and re-randomizability. Co-authored-by: Chelsea Komlo <me@chelseakomlo.com> Co-authored-by: Isis Lovecruft <isis@patternsinthevoid.net> 2021-02-25 08:06:54 -08:00			`// Copyright (c) 2019-2021 Zcash Foundation`
			`// See LICENSE for licensing information.`
			`//`
			`// Authors:`
			`// - Deirdre Connolly <deirdre@zfnd.org>`
			`// - Henry de Valence <hdevalence@hdevalence.ca>`

Add error stub 2019-12-02 21:36:47 -08:00			`#![deny(missing_docs)]`
Remove extra module-level doc to allow doc = include_str to work 2021-06-22 13:34:07 -07:00			`#![doc = include_str!("../README.md")]`
Add readme, module layout 2019-12-02 21:32:38 -08:00
Optimized batch verification (#36) * Pulls in some traits and methods from curve25519-dalek around the vartime multiscalar multiplication. * Move scalar mul things we want to upstream to jubjub to their own crate * Make Verify agnostic to the SigType Co-authored-by: Henry de Valence <hdevalence@hdevalence.ca> Co-authored-by: Jane Lusby <jlusby42@gmail.com> 2020-07-03 15:23:28 -07:00			`pub mod batch;`
Add byte encodings for Binding, SpendAuth basepoints. These were extracted by adding printlns to the test suite for librustzcash. 2019-12-03 13:37:12 -08:00			`mod constants;`
Add error stub 2019-12-02 21:36:47 -08:00			`mod error;`
Frost keygen with dealer (#47) Implements FROST (Flexible Round Optimized Schnorr Threshold Signatures, https://eprint.iacr.org/2020/852) where key generation is performed by a trusted dealer. Future work will include implementing distributed key generation and re-randomizability. Co-authored-by: Chelsea Komlo <me@chelseakomlo.com> Co-authored-by: Isis Lovecruft <isis@patternsinthevoid.net> 2021-02-25 08:06:54 -08:00			`pub mod frost;`
Add an hash-to-scalar implementation. 2019-12-03 19:54:31 -08:00			`mod hash;`
Implement the messages spec (#114) * start messages and validation * add missing docs to constants * change validation to matches, fix constant doc Co-authored-by: teor <teor@riseup.net> * fix the build * validate share_commitment * add new constants and validations * fix validation * derive serde Serialize and Deserialize in all messages structs * update created structs Co-authored-by: teor <teor@riseup.net> * fix build * define and use a new MAX_SIGNERS constant * change group_public type * add some test cases * add validation and serialization tests for SigningCommitments * add validation and serialization test to SigningPackage * change some fields order matching the spec * fix field order in tests according to last updates to the spec * implement serialize and deserialize for ParticipantId * move serde-json to dev-dependencies section * change to pub(crate) * fix serialize of VerificationKey * add assert to serialize * add note, fix typo * improve some code in tests * test serialization of individual fields * start messages and validation * add missing docs to constants * change validation to matches, fix constant doc Co-authored-by: teor <teor@riseup.net> * fix the build * validate share_commitment * add new constants and validations * fix validation * define and use a new MAX_SIGNERS constant * change group_public type * change some fields order matching the spec * change message fields to new spec * remove some non needed conversions * use a BTreeMap to guarantee the order * remove some calls to `clone()` by implementing `Copy` * change message type in frost and add validate_signatureshare test * change `share_commitment` to BTreeMap * add `serialize_signatureshare` test * add aggregatesignature tests * add some test header messages utility functions * add a setup utility * move the general serialization checks into an utility function * fi some typos * add and use a `generate_share_commitment` utility * add create_signing_commitments utility function * improve the serialization tests * make room for prop tests * add arbitrary tests for serialization * remove allow dead code from messages * fix some imports * make signature module public only to the crate * simplify a bit the frost tests * improve the generated docs * add a `prop_filter` to Header arbitrary * (ab)use proptest_derive * improve validation for Message * improve some utility functions * change frost to serialization id conversion * add a quick btreemap test * change the `MsgType` to `u32` * add no leftover bytes checks * add a full_setup utility * add map len checks Co-authored-by: teor <teor@riseup.net> 2021-06-16 12:13:23 -07:00			`mod messages;`
Optimized batch verification (#36) * Pulls in some traits and methods from curve25519-dalek around the vartime multiscalar multiplication. * Move scalar mul things we want to upstream to jubjub to their own crate * Make Verify agnostic to the SigType Co-authored-by: Henry de Valence <hdevalence@hdevalence.ca> Co-authored-by: Jane Lusby <jlusby42@gmail.com> 2020-07-03 15:23:28 -07:00			`mod scalar_mul;`
Implement the messages spec (#114) * start messages and validation * add missing docs to constants * change validation to matches, fix constant doc Co-authored-by: teor <teor@riseup.net> * fix the build * validate share_commitment * add new constants and validations * fix validation * derive serde Serialize and Deserialize in all messages structs * update created structs Co-authored-by: teor <teor@riseup.net> * fix build * define and use a new MAX_SIGNERS constant * change group_public type * add some test cases * add validation and serialization tests for SigningCommitments * add validation and serialization test to SigningPackage * change some fields order matching the spec * fix field order in tests according to last updates to the spec * implement serialize and deserialize for ParticipantId * move serde-json to dev-dependencies section * change to pub(crate) * fix serialize of VerificationKey * add assert to serialize * add note, fix typo * improve some code in tests * test serialization of individual fields * start messages and validation * add missing docs to constants * change validation to matches, fix constant doc Co-authored-by: teor <teor@riseup.net> * fix the build * validate share_commitment * add new constants and validations * fix validation * define and use a new MAX_SIGNERS constant * change group_public type * change some fields order matching the spec * change message fields to new spec * remove some non needed conversions * use a BTreeMap to guarantee the order * remove some calls to `clone()` by implementing `Copy` * change message type in frost and add validate_signatureshare test * change `share_commitment` to BTreeMap * add `serialize_signatureshare` test * add aggregatesignature tests * add some test header messages utility functions * add a setup utility * move the general serialization checks into an utility function * fi some typos * add and use a `generate_share_commitment` utility * add create_signing_commitments utility function * improve the serialization tests * make room for prop tests * add arbitrary tests for serialization * remove allow dead code from messages * fix some imports * make signature module public only to the crate * simplify a bit the frost tests * improve the generated docs * add a `prop_filter` to Header arbitrary * (ab)use proptest_derive * improve validation for Message * improve some utility functions * change frost to serialization id conversion * add a quick btreemap test * change the `MsgType` to `u32` * add no leftover bytes checks * add a full_setup utility * add map len checks Co-authored-by: teor <teor@riseup.net> 2021-06-16 12:13:23 -07:00			`pub(crate) mod signature;`
Change terminology to signing, verification keys (#35) Matches ed25519-zebra. Resolves #33 2020-06-25 11:56:29 -07:00			`mod signing_key;`
			`mod verification_key;`
Add readme, module layout 2019-12-02 21:32:38 -08:00
Add rerandomization stub API. 2019-12-02 22:32:55 -08:00			`/// An element of the JubJub scalar field used for randomization of public and secret keys.`
Migrate to jubjub 0.6 2021-03-01 06:54:52 -08:00			`pub type Randomizer = jubjub::Scalar;`
Add rerandomization stub API. 2019-12-02 22:32:55 -08:00
Add an hash-to-scalar implementation. 2019-12-03 19:54:31 -08:00			`use hash::HStar;`

Add error stub 2019-12-02 21:36:47 -08:00			`pub use error::Error;`
Define main types for the library. 2019-12-02 21:58:19 -08:00			`pub use signature::Signature;`
Change terminology to signing, verification keys (#35) Matches ed25519-zebra. Resolves #33 2020-06-25 11:56:29 -07:00			`pub use signing_key::SigningKey;`
			`pub use verification_key::{VerificationKey, VerificationKeyBytes};`
Add readme, module layout 2019-12-02 21:32:38 -08:00
Make Binding, SpendAuth enums so they show in a different Rustdoc section. 2019-12-04 16:41:16 -08:00			/// Abstracts over different RedJubJub parameter choices, [`Binding`]
			/// and [`SpendAuth`].
Make the signature type be a type parameter. This means that using a BindingSig as a SpendAuthSig or vice versa becomes a compile error. Internally, we can share implementations, but having type parameters and specialized impls means that the correct parameters can be substituted in to whatever inner functions exist. 2019-12-03 12:22:35 -08:00			`///`
			`/// As described [at the end of §5.4.6][concretereddsa] of the Zcash`
			`/// protocol specification, the generator used in RedJubjub is left as`
			`/// an unspecified parameter, chosen differently for each of`
			/// `BindingSig` and `SpendAuthSig`.
			`///`
			`/// To handle this, we encode the parameter choice as a genuine type`
			`/// parameter.`
			`///`
			`/// [concretereddsa]: https://zips.z.cash/protocol/protocol.pdf#concretereddsa`
			`pub trait SigType: private::Sealed {}`

			/// A type variable corresponding to Zcash's `BindingSig`.
Fix trait bounds on SigType. When Rust derives Copy, Clone, Eq, PartialEq, etc. on a type with `PhantomData<T>`, it adds a `T: Clone` etc. bound, regardless of whether `T` is only ever used inside of the `PhantomData`. A better fix would be to fix the derived bounds themselves, but in the meantime this works, even if it's slightly ugly. 2019-12-09 11:07:24 -08:00			`#[derive(Copy, Clone, PartialEq, Eq, Debug)]`
Make Binding, SpendAuth enums so they show in a different Rustdoc section. 2019-12-04 16:41:16 -08:00			`pub enum Binding {}`
Make the signature type be a type parameter. This means that using a BindingSig as a SpendAuthSig or vice versa becomes a compile error. Internally, we can share implementations, but having type parameters and specialized impls means that the correct parameters can be substituted in to whatever inner functions exist. 2019-12-03 12:22:35 -08:00			`impl SigType for Binding {}`

			/// A type variable corresponding to Zcash's `SpendAuthSig`.
Fix trait bounds on SigType. When Rust derives Copy, Clone, Eq, PartialEq, etc. on a type with `PhantomData<T>`, it adds a `T: Clone` etc. bound, regardless of whether `T` is only ever used inside of the `PhantomData`. A better fix would be to fix the derived bounds themselves, but in the meantime this works, even if it's slightly ugly. 2019-12-09 11:07:24 -08:00			`#[derive(Copy, Clone, PartialEq, Eq, Debug)]`
Make Binding, SpendAuth enums so they show in a different Rustdoc section. 2019-12-04 16:41:16 -08:00			`pub enum SpendAuth {}`
Make the signature type be a type parameter. This means that using a BindingSig as a SpendAuthSig or vice versa becomes a compile error. Internally, we can share implementations, but having type parameters and specialized impls means that the correct parameters can be substituted in to whatever inner functions exist. 2019-12-03 12:22:35 -08:00			`impl SigType for SpendAuth {}`

Add methods to the Sealed trait, simplifying types. The motivation is as follows. The sealed trait pattern allows creating a type-level equivalent of an enum: the trait corresponds to the enum type and its implementors correspond to the enum variants; the `Sealed` restriction ensures that there is a fixed set of enum variants. In this picture, adding methods to the public trait corresponds to a public method on an enum, while adding methods to the private trait corresponds to a private method on an enum. This means that we can add a method to get the basepoint (whose possible choices are enumerated by SigType) and avoid having to do specialized impls. 2019-12-03 18:20:45 -08:00			`pub(crate) mod private {`
Make the signature type be a type parameter. This means that using a BindingSig as a SpendAuthSig or vice versa becomes a compile error. Internally, we can share implementations, but having type parameters and specialized impls means that the correct parameters can be substituted in to whatever inner functions exist. 2019-12-03 12:22:35 -08:00			`use super::*;`
Fix trait bounds on SigType. When Rust derives Copy, Clone, Eq, PartialEq, etc. on a type with `PhantomData<T>`, it adds a `T: Clone` etc. bound, regardless of whether `T` is only ever used inside of the `PhantomData`. A better fix would be to fix the derived bounds themselves, but in the meantime this works, even if it's slightly ugly. 2019-12-09 11:07:24 -08:00			`pub trait Sealed: Copy + Clone + Eq + PartialEq + std::fmt::Debug {`
Add methods to the Sealed trait, simplifying types. The motivation is as follows. The sealed trait pattern allows creating a type-level equivalent of an enum: the trait corresponds to the enum type and its implementors correspond to the enum variants; the `Sealed` restriction ensures that there is a fixed set of enum variants. In this picture, adding methods to the public trait corresponds to a public method on an enum, while adding methods to the private trait corresponds to a private method on an enum. This means that we can add a method to get the basepoint (whose possible choices are enumerated by SigType) and avoid having to do specialized impls. 2019-12-03 18:20:45 -08:00			`fn basepoint() -> jubjub::ExtendedPoint;`
			`}`
			`impl Sealed for Binding {`
			`fn basepoint() -> jubjub::ExtendedPoint {`
			`jubjub::AffinePoint::from_bytes(constants::BINDINGSIG_BASEPOINT_BYTES)`
			`.unwrap()`
			`.into()`
			`}`
			`}`
			`impl Sealed for SpendAuth {`
			`fn basepoint() -> jubjub::ExtendedPoint {`
			`jubjub::AffinePoint::from_bytes(constants::SPENDAUTHSIG_BASEPOINT_BYTES)`
			`.unwrap()`
			`.into()`
			`}`
			`}`
Make the signature type be a type parameter. This means that using a BindingSig as a SpendAuthSig or vice versa becomes a compile error. Internally, we can share implementations, but having type parameters and specialized impls means that the correct parameters can be substituted in to whatever inner functions exist. 2019-12-03 12:22:35 -08:00			`}`