zecfoundation
/
reddsa
mirror of https://github.com/ZcashFoundation/reddsa.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Introduce SpendAuth: SigType and Binding: SigType traits 

The prior `SpendAuth` and `Binding` enums have been renamed to
`sapling::{SpendAuth, Binding}`. These might subsequently be removed
from the crate entirely (moving into a wrapping `redjubjub` crate).

The code assumes that scalar and point representations are [u8; 32],
which will be the case for all curves we instantiate RedDSA with for
Zcash.
This commit is contained in:
Jack Grigg 2021-03-01 15:29:07 +00:00
parent 7e80588550
commit 878dd1351b
21 changed files with 471 additions and 357 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Cargo.toml
View File

@ -26,6 +26,7 @@ features = ["nightly"]
blake2b_simd = "0.5"
byteorder = "1.4"
digest = "0.9"
group = "0.11"
jubjub = "0.8"
rand_core = "0.6"
serde = { version = "1", optional = true, features = ["derive"] }

11
README.md
View File

@ -1,15 +1,18 @@
A minimal [RedDSA][reddsa] implementation for use in Zcash.
Two parameterizations of RedJubjub are used in Zcash, one for
Two specializations of RedDSA are used in Zcash: RedJubjub and
RedPallas. For each of these, two parameterizations are used, one for
`BindingSig` and one for `SpendAuthSig`. This library distinguishes
these in the type system, using the [sealed] `SigType` trait as a
type-level enum.
In addition to the `Signature`, `SigningKey`, `VerificationKey` types,
the library also provides `VerificationKeyBytes`, a [refinement] of a
`[u8; 32]` indicating that bytes represent an encoding of a RedJubjub
`[u8; 32]` indicating that bytes represent an encoding of a RedDSA
verification key. This allows the `VerificationKey` type to cache
verification checks related to the verification key encoding.
For all specializations of RedDSA used in Zcash, encodings of signing
and verification keys are 32 bytes.
## Examples
@ -24,7 +27,7 @@ use reddsa::*;
let msg = b"Hello!";
// Generate a secret key and sign the message
let sk = SigningKey::<Binding>::new(thread_rng());
let sk = SigningKey::<sapling::Binding>::new(thread_rng());
let sig = sk.sign(thread_rng(), msg);
// Types can be converted to raw byte arrays using From/Into
@ -32,7 +35,7 @@ let sig_bytes: [u8; 64] = sig.into();
let pk_bytes: [u8; 32] = VerificationKey::from(&sk).into();
// Deserialize and verify the signature.
let sig: Signature<Binding> = sig_bytes.into();
let sig: Signature<sapling::Binding> = sig_bytes.into();
assert!(
VerificationKey::try_from(pk_bytes)
.and_then(|pk| pk.verify(msg, &sig))

16
benches/bench.rs
View File

@ -6,12 +6,12 @@ use std::convert::TryFrom;
enum Item {
SpendAuth {
vk_bytes: VerificationKeyBytes<SpendAuth>,
sig: Signature<SpendAuth>,
vk_bytes: VerificationKeyBytes<sapling::SpendAuth>,
sig: Signature<sapling::SpendAuth>,
},
Binding {
vk_bytes: VerificationKeyBytes<Binding>,
sig: Signature<Binding>,
vk_bytes: VerificationKeyBytes<sapling::Binding>,
sig: Signature<sapling::Binding>,
},
}
@ -21,13 +21,13 @@ fn sigs_with_distinct_keys() -> impl Iterator<Item = Item> {
let msg = b"Bench";
match rng.gen::<u8>() % 2 {
0 => {
let sk = SigningKey::<SpendAuth>::new(thread_rng());
let sk = SigningKey::<sapling::SpendAuth>::new(thread_rng());
let vk_bytes = VerificationKey::from(&sk).into();
let sig = sk.sign(thread_rng(), &msg[..]);
Item::SpendAuth { vk_bytes, sig }
}
1 => {
let sk = SigningKey::<Binding>::new(thread_rng());
let sk = SigningKey::<sapling::Binding>::new(thread_rng());
let vk_bytes = VerificationKey::from(&sk).into();
let sig = sk.sign(thread_rng(), &msg[..]);
Item::Binding { vk_bytes, sig }
@ -76,10 +76,10 @@ fn bench_batch_verify(c: &mut Criterion) {
let msg = b"Bench";
match item {
Item::SpendAuth { vk_bytes, sig } => {
batch.queue((*vk_bytes, *sig, msg));
batch.queue(batch::Item::from_spendauth(*vk_bytes, *sig, msg));
}
Item::Binding { vk_bytes, sig } => {
batch.queue((*vk_bytes, *sig, msg));
batch.queue(batch::Item::from_binding(*vk_bytes, *sig, msg));
}
}
}

117
src/batch.rs
View File

@ -8,7 +8,7 @@
// - Deirdre Connolly <deirdre@zfnd.org>
// - Henry de Valence <hdevalence@hdevalence.ca>
//! Performs batch RedJubjub signature verification.
//! Performs batch RedDSA signature verification.
//!
//! Batch verification asks whether *all* signatures in some set are valid,
//! rather than asking whether *each* of them is valid. This allows sharing
@ -20,10 +20,14 @@
use std::convert::TryFrom;
use jubjub::*;
use group::{
cofactor::CofactorGroup,
ff::{Field, PrimeField},
GroupEncoding,
};
use rand_core::{CryptoRng, RngCore};
use crate::{private::Sealed, scalar_mul::VartimeMultiscalarMul, *};
use crate::{private::SealedScalar, scalar_mul::VartimeMultiscalarMul, *};
// Shim to generate a random 128bit value in a [u64; 4], without
// importing `rand`.
@ -35,16 +39,16 @@ fn gen_128_bits<R: RngCore + CryptoRng>(mut rng: R) -> [u64; 4] {
}
#[derive(Clone, Debug)]
enum Inner {
enum Inner<S: SpendAuth, B: Binding<Scalar = S::Scalar, Point = S::Point>> {
SpendAuth {
vk_bytes: VerificationKeyBytes<SpendAuth>,
sig: Signature<SpendAuth>,
c: Scalar,
vk_bytes: VerificationKeyBytes<S>,
sig: Signature<S>,
c: S::Scalar,
},
Binding {
vk_bytes: VerificationKeyBytes<Binding>,
sig: Signature<Binding>,
c: Scalar,
vk_bytes: VerificationKeyBytes<B>,
sig: Signature<B>,
c: B::Scalar,
},
}
@ -54,26 +58,19 @@ enum Inner {
/// lifetime of the message. This is useful when using the batch verification API
/// in an async context.
#[derive(Clone, Debug)]
pub struct Item {
inner: Inner,
pub struct Item<S: SpendAuth, B: Binding<Scalar = S::Scalar, Point = S::Point>> {
inner: Inner<S, B>,
}
impl<'msg, M: AsRef<[u8]>>
From<(
VerificationKeyBytes<SpendAuth>,
Signature<SpendAuth>,
&'msg M,
)> for Item
{
fn from(
(vk_bytes, sig, msg): (
VerificationKeyBytes<SpendAuth>,
Signature<SpendAuth>,
&'msg M,
),
impl<S: SpendAuth, B: Binding<Scalar = S::Scalar, Point = S::Point>> Item<S, B> {
/// Create a batch item from a `SpendAuth` signature.
pub fn from_spendauth<'msg, M: AsRef<[u8]>>(
vk_bytes: VerificationKeyBytes<S>,
sig: Signature<S>,
msg: &'msg M,
) -> Self {
// Compute c now to avoid dependency on the msg lifetime.
let c = HStar::default()
let c = HStar::<S>::default()
.update(&sig.r_bytes[..])
.update(&vk_bytes.bytes[..])
.update(msg)
@ -82,16 +79,15 @@ impl<'msg, M: AsRef<[u8]>>
inner: Inner::SpendAuth { vk_bytes, sig, c },
}
}
}
impl<'msg, M: AsRef<[u8]>> From<(VerificationKeyBytes<Binding>, Signature<Binding>, &'msg M)>
for Item
{
fn from(
(vk_bytes, sig, msg): (VerificationKeyBytes<Binding>, Signature<Binding>, &'msg M),
/// Create a batch item from a `Binding` signature.
pub fn from_binding<'msg, M: AsRef<[u8]>>(
vk_bytes: VerificationKeyBytes<B>,
sig: Signature<B>,
msg: &'msg M,
) -> Self {
// Compute c now to avoid dependency on the msg lifetime.
let c = HStar::default()
let c = HStar::<B>::default()
.update(&sig.r_bytes[..])
.update(&vk_bytes.bytes[..])
.update(msg)
@ -100,9 +96,7 @@ impl<'msg, M: AsRef<[u8]>> From<(VerificationKeyBytes<Binding>, Signature<Bindin
inner: Inner::Binding { vk_bytes, sig, c },
}
}
}
impl Item {
/// Perform non-batched verification of this `Item`.
///
/// This is useful (in combination with `Item::clone`) for implementing fallback
@ -113,31 +107,36 @@ impl Item {
#[allow(non_snake_case)]
pub fn verify_single(self) -> Result<(), Error> {
match self.inner {
Inner::Binding { vk_bytes, sig, c } => VerificationKey::<Binding>::try_from(vk_bytes)
.and_then(|vk| vk.verify_prehashed(&sig, c)),
Inner::Binding { vk_bytes, sig, c } => {
VerificationKey::<B>::try_from(vk_bytes).and_then(|vk| vk.verify_prehashed(&sig, c))
}
Inner::SpendAuth { vk_bytes, sig, c } => {
VerificationKey::<SpendAuth>::try_from(vk_bytes)
.and_then(|vk| vk.verify_prehashed(&sig, c))
VerificationKey::<S>::try_from(vk_bytes).and_then(|vk| vk.verify_prehashed(&sig, c))
}
}
}
}
#[derive(Default)]
/// A batch verification context.
pub struct Verifier {
pub struct Verifier<S: SpendAuth, B: Binding<Scalar = S::Scalar, Point = S::Point>> {
/// Signature data queued for verification.
signatures: Vec<Item>,
signatures: Vec<Item<S, B>>,
}
impl Verifier {
impl<S: SpendAuth, B: Binding<Scalar = S::Scalar, Point = S::Point>> Default for Verifier<S, B> {
fn default() -> Self {
Verifier { signatures: vec![] }
}
}
impl<S: SpendAuth, B: Binding<Scalar = S::Scalar, Point = S::Point>> Verifier<S, B> {
/// Construct a new batch verifier.
pub fn new() -> Verifier {
pub fn new() -> Verifier<S, B> {
Verifier::default()
}
/// Queue an Item for verification.
pub fn queue<I: Into<Item>>(&mut self, item: I) {
pub fn queue<I: Into<Item<S, B>>>(&mut self, item: I) {
self.signatures.push(item.into());
}
@ -163,7 +162,7 @@ impl Verifier {
/// - h_G is the cofactor of the group;
/// - P_G is the generator of the subgroup;
///
/// Since RedJubjub uses different subgroups for different types
/// Since RedDSA uses different subgroups for different types
/// of signatures, SpendAuth's and Binding's, we need to have yet
/// another point and associated scalar accumulator for all the
/// signatures of each type in our batch, but we can still
@ -185,8 +184,8 @@ impl Verifier {
let mut VKs = Vec::with_capacity(n);
let mut R_coeffs = Vec::with_capacity(self.signatures.len());
let mut Rs = Vec::with_capacity(self.signatures.len());
let mut P_spendauth_coeff = Scalar::zero();
let mut P_binding_coeff = Scalar::zero();
let mut P_spendauth_coeff = S::Scalar::zero();
let mut P_binding_coeff = B::Scalar::zero();
for item in self.signatures.iter() {
let (s_bytes, r_bytes, c) = match item.inner {
@ -196,7 +195,9 @@ impl Verifier {
let s = {
// XXX-jubjub: should not use CtOption here
let maybe_scalar = Scalar::from_bytes(&s_bytes);
let mut repr = <S::Scalar as PrimeField>::Repr::default();
repr.as_mut().copy_from_slice(&s_bytes);
let maybe_scalar = S::Scalar::from_repr(repr);
if maybe_scalar.is_some().into() {
maybe_scalar.unwrap()
} else {
@ -207,9 +208,11 @@ impl Verifier {
let R = {
// XXX-jubjub: should not use CtOption here
// XXX-jubjub: inconsistent ownership in from_bytes
let maybe_point = AffinePoint::from_bytes(r_bytes);
let mut repr = <S::Point as GroupEncoding>::Repr::default();
repr.as_mut().copy_from_slice(&r_bytes);
let maybe_point = S::Point::from_bytes(&repr);
if maybe_point.is_some().into() {
jubjub::ExtendedPoint::from(maybe_point.unwrap())
maybe_point.unwrap()
} else {
return Err(Error::InvalidSignature);
}
@ -217,14 +220,14 @@ impl Verifier {
let VK = match item.inner {
Inner::SpendAuth { vk_bytes, .. } => {
VerificationKey::<SpendAuth>::try_from(vk_bytes.bytes)?.point
VerificationKey::<S>::try_from(vk_bytes.bytes)?.point
}
Inner::Binding { vk_bytes, .. } => {
VerificationKey::<Binding>::try_from(vk_bytes.bytes)?.point
VerificationKey::<B>::try_from(vk_bytes.bytes)?.point
}
};
let z = Scalar::from_raw(gen_128_bits(&mut rng));
let z = S::Scalar::from_raw(gen_128_bits(&mut rng));
let P_coeff = z * s;
match item.inner {
@ -239,7 +242,7 @@ impl Verifier {
R_coeffs.push(z);
Rs.push(R);
VK_coeffs.push(Scalar::zero() + (z * c));
VK_coeffs.push(S::Scalar::zero() + (z * c));
VKs.push(VK);
}
@ -250,10 +253,10 @@ impl Verifier {
.chain(VK_coeffs.iter())
.chain(R_coeffs.iter());
let basepoints = [SpendAuth::basepoint(), Binding::basepoint()];
let basepoints = [S::basepoint(), B::basepoint()];
let points = basepoints.iter().chain(VKs.iter()).chain(Rs.iter());
let check = ExtendedPoint::vartime_multiscalar_mul(scalars, points);
let check = S::Point::vartime_multiscalar_mul(scalars, points);
if check.is_small_order().into() {
Ok(())

2
src/error.rs
View File

@ -10,7 +10,7 @@
use thiserror::Error;
/// An error related to RedJubJub signatures.
/// An error related to RedDSA signatures.
#[derive(Error, Debug, Copy, Clone, Eq, PartialEq)]
pub enum Error {
/// The encoding of a signing key was malformed.

294
src/frost.rs
View File

@ -23,36 +23,43 @@
//! Internally, keygen_with_dealer generates keys using Verifiable Secret
//! Sharing, where shares are generated using Shamir Secret Sharing.
use std::{collections::HashMap, convert::TryFrom, marker::PhantomData};
use std::{
collections::HashMap,
convert::{TryFrom, TryInto},
marker::PhantomData,
};
use jubjub::Scalar;
use group::{
cofactor::CofactorCurve,
ff::{Field, PrimeField},
Curve, Group, GroupEncoding,
};
use rand_core::{CryptoRng, RngCore};
use zeroize::DefaultIsZeroes;
use crate::private::Sealed;
use crate::{HStar, Signature, SpendAuth, VerificationKey};
use crate::{private::SealedScalar, sapling, HStar, Signature, SpendAuth, VerificationKey};
/// A secret scalar value representing a single signer's secret key.
#[derive(Clone, Copy, Default, PartialEq)]
pub struct Secret(pub(crate) Scalar);
pub struct Secret<S: SpendAuth>(pub(crate) S::Scalar);
// Zeroizes `Secret` to be the `Default` value on drop (when it goes out of
// scope). Luckily the derived `Default` includes the `Default` impl of
// jubjub::Fr/Scalar, which is four 0u64's under the hood.
impl DefaultIsZeroes for Secret {}
impl<S: SpendAuth> DefaultIsZeroes for Secret<S> {}
impl From<Scalar> for Secret {
fn from(source: Scalar) -> Secret {
impl From<jubjub::Scalar> for Secret<sapling::SpendAuth> {
fn from(source: jubjub::Scalar) -> Secret<sapling::SpendAuth> {
Secret(source)
}
}
/// A public group element that represents a single signer's public key.
#[derive(Copy, Clone, Debug, PartialEq)]
pub struct Public(jubjub::ExtendedPoint);
pub struct Public<S: SpendAuth>(S::Point);
impl From<jubjub::ExtendedPoint> for Public {
fn from(source: jubjub::ExtendedPoint) -> Public {
impl From<jubjub::ExtendedPoint> for Public<sapling::SpendAuth> {
fn from(source: jubjub::ExtendedPoint) -> Public<sapling::SpendAuth> {
Public(source)
}
}
@ -61,12 +68,12 @@ impl From<jubjub::ExtendedPoint> for Public {
/// n is the total number of shares and t is the threshold required to
/// reconstruct the secret; in this case we use Shamir's secret sharing.
#[derive(Clone)]
pub struct Share {
pub struct Share<S: SpendAuth> {
receiver_index: u64,
/// Secret Key.
pub(crate) value: Secret,
pub(crate) value: Secret<S>,
/// The commitments to be distributed among signers.
pub(crate) commitment: ShareCommitment,
pub(crate) commitment: ShareCommitment<S>,
}
/// A Jubjub point that is a commitment to one coefficient of our secret
@ -75,7 +82,7 @@ pub struct Share {
/// This is a (public) commitment to one coefficient of a secret polynomial used
/// for performing verifiable secret sharing for a Shamir secret share.
#[derive(Clone, PartialEq)]
pub(crate) struct Commitment(pub(crate) jubjub::AffinePoint);
pub(crate) struct Commitment<S: SpendAuth>(pub(crate) <S::Point as CofactorCurve>::Affine);
/// Contains the commitments to the coefficients for our secret polynomial _f_,
/// used to generate participants' key shares.
@ -90,30 +97,30 @@ pub(crate) struct Commitment(pub(crate) jubjub::AffinePoint);
/// some agreed-upon public location for publication, where each participant can
/// ensure that they received the correct (and same) value.
#[derive(Clone)]
pub struct ShareCommitment(pub(crate) Vec<Commitment>);
pub struct ShareCommitment<S: SpendAuth>(pub(crate) Vec<Commitment<S>>);
/// The product of all signers' individual commitments, published as part of the
/// final signature.
#[derive(PartialEq)]
pub struct GroupCommitment(pub(crate) jubjub::AffinePoint);
pub struct GroupCommitment<S: SpendAuth>(pub(crate) <S::Point as CofactorCurve>::Affine);
/// Secret and public key material generated by a dealer performing
/// [`keygen_with_dealer`].
///
/// To derive a FROST keypair, the receiver of the [`SharePackage`] *must* call
/// .into(), which under the hood also performs validation.
pub struct SharePackage {
pub struct SharePackage<S: SpendAuth> {
/// The public signing key that represents the entire group.
pub(crate) group_public: VerificationKey<SpendAuth>,
pub(crate) group_public: VerificationKey<S>,
/// Denotes the participant index each share is owned by.
pub index: u64,
/// This participant's public key.
pub(crate) public: Public,
pub(crate) public: Public<S>,
/// This participant's share.
pub(crate) share: Share,
pub(crate) share: Share<S>,
}
impl TryFrom<SharePackage> for KeyPackage {
impl<S: SpendAuth> TryFrom<SharePackage<S>> for KeyPackage<S> {
type Error = &'static str;
/// Tries to verify a share and construct a [`KeyPackage`] from it.
@ -124,7 +131,7 @@ impl TryFrom<SharePackage> for KeyPackage {
/// every participant has the same view of the commitment issued by the
/// dealer, but implementations *MUST* make sure that all participants have
/// a consistent view of this commitment in practice.
fn try_from(sharepackage: SharePackage) -> Result<Self, &'static str> {
fn try_from(sharepackage: SharePackage<S>) -> Result<Self, &'static str> {
verify_share(&sharepackage.share)?;
Ok(KeyPackage {
@ -143,25 +150,25 @@ impl TryFrom<SharePackage> for KeyPackage {
/// participants, who then perform verification, before deriving
/// [`KeyPackage`]s, which they store to later use during signing.
#[allow(dead_code)]
pub struct KeyPackage {
pub struct KeyPackage<S: SpendAuth> {
index: u64,
secret_share: Secret,
public: Public,
group_public: VerificationKey<SpendAuth>,
secret_share: Secret<S>,
public: Public<S>,
group_public: VerificationKey<S>,
}
/// Public data that contains all the signer's public keys as well as the
/// group public key.
///
/// Used for verification purposes before publishing a signature.
pub struct PublicKeyPackage {
pub struct PublicKeyPackage<S: SpendAuth> {
/// When performing signing, the coordinator must ensure that they have the
/// correct view of participant's public keys to perform verification before
/// publishing a signature. signer_pubkeys represents all signers for a
/// signing operation.
pub(crate) signer_pubkeys: HashMap<u64, Public>,
pub(crate) signer_pubkeys: HashMap<u64, Public<S>>,
/// group_public represents the joint public key for the entire group.
pub group_public: VerificationKey<SpendAuth>,
pub group_public: VerificationKey<S>,
}
/// Allows all participants' keys to be generated using a central, trusted
@ -172,22 +179,22 @@ pub struct PublicKeyPackage {
/// key. The output from this function is a set of shares along with one single
/// commitment that participants use to verify the integrity of the share. The
/// number of signers is limited to 255.
pub fn keygen_with_dealer<R: RngCore + CryptoRng>(
pub fn keygen_with_dealer<R: RngCore + CryptoRng, S: SpendAuth>(
num_signers: u8,
threshold: u8,
mut rng: R,
) -> Result<(Vec<SharePackage>, PublicKeyPackage), &'static str> {
) -> Result<(Vec<SharePackage<S>>, PublicKeyPackage<S>), &'static str> {
let mut bytes = [0; 64];
rng.fill_bytes(&mut bytes);
let secret = Secret(Scalar::from_bytes_wide(&bytes));
let secret = Secret(S::Scalar::from_bytes_wide(&bytes));
let group_public = VerificationKey::from(&secret.0);
let shares = generate_shares(&secret, num_signers, threshold, rng)?;
let mut sharepackages: Vec<SharePackage> = Vec::with_capacity(num_signers as usize);
let mut signer_pubkeys: HashMap<u64, Public> = HashMap::with_capacity(num_signers as usize);
let mut sharepackages: Vec<SharePackage<S>> = Vec::with_capacity(num_signers as usize);
let mut signer_pubkeys: HashMap<u64, Public<S>> = HashMap::with_capacity(num_signers as usize);
for share in shares {
let signer_public = Public(SpendAuth::basepoint() * share.value.0);
let signer_public = Public(S::basepoint() * share.value.0);
sharepackages.push(SharePackage {
index: share.receiver_index,
share: share.clone(),
@ -213,13 +220,13 @@ pub fn keygen_with_dealer<R: RngCore + CryptoRng>(
/// mechanism as all other signing participants. Note that participants *MUST*
/// ensure that they have the same view as all other participants of the
/// commitment!
fn verify_share(share: &Share) -> Result<(), &'static str> {
let f_result = SpendAuth::basepoint() * share.value.0;
fn verify_share<S: SpendAuth>(share: &Share<S>) -> Result<(), &'static str> {
let f_result = S::basepoint() * share.value.0;
let x = Scalar::from(share.receiver_index as u64);
let x = S::Scalar::from(share.receiver_index as u64);
let (_, result) = share.commitment.0.iter().fold(
(Scalar::one(), jubjub::ExtendedPoint::identity()),
(S::Scalar::one(), S::Point::identity()),
|(x_to_the_i, sum_so_far), comm_i| (x_to_the_i * x, sum_so_far + comm_i.0 * x_to_the_i),
);
@ -245,12 +252,12 @@ fn verify_share(share: &Share) -> Result<(), &'static str> {
/// polynomial f
/// - For each participant i, their secret share is f(i)
/// - The commitment to the secret polynomial f is [g^a, g^b, g^c]
fn generate_shares<R: RngCore + CryptoRng>(
secret: &Secret,
fn generate_shares<R: RngCore + CryptoRng, S: SpendAuth>(
secret: &Secret<S>,
numshares: u8,
threshold: u8,
mut rng: R,
) -> Result<Vec<Share>, &'static str> {
) -> Result<Vec<Share<S>>, &'static str> {
if threshold < 1 {
return Err("Threshold cannot be 0");
}
@ -265,36 +272,37 @@ fn generate_shares<R: RngCore + CryptoRng>(
let numcoeffs = threshold - 1;
let mut coefficients: Vec<Scalar> = Vec::with_capacity(threshold as usize);
let mut coefficients: Vec<S::Scalar> = Vec::with_capacity(threshold as usize);
let mut shares: Vec<Share> = Vec::with_capacity(numshares as usize);
let mut shares: Vec<Share<S>> = Vec::with_capacity(numshares as usize);
let mut commitment: ShareCommitment = ShareCommitment(Vec::with_capacity(threshold as usize));
let mut commitment: ShareCommitment<S> =
ShareCommitment(Vec::with_capacity(threshold as usize));
for _ in 0..numcoeffs {
let mut bytes = [0; 64];
rng.fill_bytes(&mut bytes);
coefficients.push(Scalar::from_bytes_wide(&bytes));
coefficients.push(S::Scalar::from_bytes_wide(&bytes));
}
// Verifiable secret sharing, to make sure that participants can ensure their secret is consistent
// with every other participant's.
commitment.0.push(Commitment(jubjub::AffinePoint::from(
SpendAuth::basepoint() * secret.0,
)));
commitment
.0
.push(Commitment((S::basepoint() * secret.0).to_affine()));
for c in &coefficients {
commitment.0.push(Commitment(jubjub::AffinePoint::from(
SpendAuth::basepoint() * c,
)));
commitment
.0
.push(Commitment((S::basepoint() * c).to_affine()));
}
// Evaluate the polynomial with `secret` as the constant term
// and `coeffs` as the other coefficients at the point x=share_index,
// using Horner's method.
for index in 1..numshares + 1 {
let scalar_index = Scalar::from(index as u64);
let mut value = Scalar::zero();
let scalar_index = S::Scalar::from(index as u64);
let mut value = S::Scalar::zero();
// Polynomial evaluation, for this index
for i in (0..numcoeffs).rev() {
@ -319,17 +327,17 @@ fn generate_shares<R: RngCore + CryptoRng>(
/// operation; re-using nonces will result in leakage of a signer's long-lived
/// signing key.
#[derive(Clone, Copy, Default)]
pub struct SigningNonces {
hiding: Scalar,
binding: Scalar,
pub struct SigningNonces<S: SpendAuth> {
hiding: S::Scalar,
binding: S::Scalar,
}
// Zeroizes `SigningNonces` to be the `Default` value on drop (when it goes out
// of scope). Luckily the derived `Default` includes the `Default` impl of the
// `jubjub::Fr/Scalar`'s, which is four 0u64's under the hood.
impl DefaultIsZeroes for SigningNonces {}
impl<S: SpendAuth> DefaultIsZeroes for SigningNonces<S> {}
impl SigningNonces {
impl<S: SpendAuth> SigningNonces<S> {
/// Generates a new signing nonce.
///
/// Each participant generates signing nonces before performing a signing
@ -353,8 +361,8 @@ impl SigningNonces {
// The values of 'hiding' and 'binding' must be non-zero so that commitments are not the
// identity.
let hiding = Scalar::from_bytes_wide(&random_nonzero_bytes(rng));
let binding = Scalar::from_bytes_wide(&random_nonzero_bytes(rng));
let hiding = S::Scalar::from_bytes_wide(&random_nonzero_bytes(rng));
let binding = S::Scalar::from_bytes_wide(&random_nonzero_bytes(rng));
Self { hiding, binding }
}
@ -365,32 +373,32 @@ impl SigningNonces {
/// This step can be batched if desired by the implementation. Each
/// SigningCommitment can be used for exactly *one* signature.
#[derive(Copy, Clone)]
pub struct SigningCommitments {
pub struct SigningCommitments<S: SpendAuth> {
/// The participant index
pub(crate) index: u64,
/// The hiding point.
pub(crate) hiding: jubjub::ExtendedPoint,
pub(crate) hiding: S::Point,
/// The binding point.
pub(crate) binding: jubjub::ExtendedPoint,
pub(crate) binding: S::Point,
}
impl From<(u64, &SigningNonces)> for SigningCommitments {
/// For SpendAuth signatures only, not Binding signatures, in RedJubjub/Zcash.
fn from((index, nonces): (u64, &SigningNonces)) -> Self {
impl<S: SpendAuth> From<(u64, &SigningNonces<S>)> for SigningCommitments<S> {
/// For SpendAuth signatures only, not Binding signatures, in RedDSA/Zcash.
fn from((index, nonces): (u64, &SigningNonces<S>)) -> Self {
Self {
index,
hiding: SpendAuth::basepoint() * nonces.hiding,
binding: SpendAuth::basepoint() * nonces.binding,
hiding: S::basepoint() * nonces.hiding,
binding: S::basepoint() * nonces.binding,
}
}
}
/// Generated by the coordinator of the signing operation and distributed to
/// each signing party.
pub struct SigningPackage {
pub struct SigningPackage<S: SpendAuth> {
/// The set of commitments participants published in the first round of the
/// protocol.
pub signing_commitments: Vec<SigningCommitments>,
pub signing_commitments: Vec<SigningCommitments<S>>,
/// Message which each participant will sign.
///
/// Each signer should perform protocol-specific verification on the message.
@ -399,37 +407,35 @@ pub struct SigningPackage {
/// A representation of a single signature used in FROST structures and messages.
#[derive(Clone, Copy, Default, PartialEq)]
pub struct SignatureResponse(pub(crate) Scalar);
pub struct SignatureResponse<S: SpendAuth>(pub(crate) S::Scalar);
/// A participant's signature share, which the coordinator will use to aggregate
/// with all other signer's shares into the joint signature.
#[derive(Clone, Copy, Default)]
pub struct SignatureShare {
pub struct SignatureShare<S: SpendAuth> {
/// Represents the participant index.
pub(crate) index: u64,
/// This participant's signature over the message.
pub(crate) signature: SignatureResponse,
pub(crate) signature: SignatureResponse<S>,
}
// Zeroizes `SignatureShare` to be the `Default` value on drop (when it goes out
// of scope). Luckily the derived `Default` includes the `Default` impl of
// jubjub::Fr/Scalar, which is four 0u64's under the hood, and u32, which is
// 0u32.
impl DefaultIsZeroes for SignatureShare {}
impl<S: SpendAuth> DefaultIsZeroes for SignatureShare<S> {}
impl SignatureShare {
impl<S: SpendAuth> SignatureShare<S> {
/// Tests if a signature share issued by a participant is valid before
/// aggregating it into a final joint signature to publish.
pub fn check_is_valid(
&self,
pubkey: &Public,
lambda_i: Scalar,
commitment: jubjub::ExtendedPoint,
challenge: Scalar,
pubkey: &Public<S>,
lambda_i: S::Scalar,
commitment: S::Point,
challenge: S::Scalar,
) -> Result<(), &'static str> {
if (SpendAuth::basepoint() * self.signature.0)
!= (commitment + pubkey.0 * challenge * lambda_i)
{
if (S::basepoint() * self.signature.0) != (commitment + pubkey.0 * challenge * lambda_i) {
return Err("Invalid signature share");
}
Ok(())
@ -448,16 +454,18 @@ impl SignatureShare {
/// turns out to be too conservative.
// TODO: Make sure the above is a correct statement, fix if needed in:
// https://github.com/ZcashFoundation/redjubjub/issues/111
pub fn preprocess<R>(
pub fn preprocess<R, S>(
num_nonces: u8,
participant_index: u64,
rng: &mut R,
) -> (Vec<SigningNonces>, Vec<SigningCommitments>)
) -> (Vec<SigningNonces<S>>, Vec<SigningCommitments<S>>)
where
R: CryptoRng + RngCore,
S: SpendAuth,
{
let mut signing_nonces: Vec<SigningNonces> = Vec::with_capacity(num_nonces as usize);
let mut signing_commitments: Vec<SigningCommitments> = Vec::with_capacity(num_nonces as usize);
let mut signing_nonces: Vec<SigningNonces<S>> = Vec::with_capacity(num_nonces as usize);
let mut signing_commitments: Vec<SigningCommitments<S>> =
Vec::with_capacity(num_nonces as usize);
for _ in 0..num_nonces {
let nonces = SigningNonces::new(rng);
@ -470,28 +478,28 @@ where
/// Generates the binding factor that ensures each signature share is strongly
/// bound to a signing set, specific set of commitments, and a specific message.
fn gen_rho_i(index: u64, signing_package: &SigningPackage) -> Scalar {
fn gen_rho_i<S: SpendAuth>(index: u64, signing_package: &SigningPackage<S>) -> S::Scalar {
// Hash signature message with HStar before deriving the binding factor.
//
// To avoid a collision with other inputs to the hash that generates the
// binding factor, we should hash our input message first. Our 'standard'
// hash is HStar, which uses a domain separator already, and is the same one
// that generates the binding factor.
let message_hash = HStar::default()
let message_hash = HStar::<S>::default()
.update(signing_package.message.as_slice())
.finalize();
let mut hasher = HStar::default();
let mut hasher = HStar::<S>::default();
hasher
.update("FROST_rho".as_bytes())
.update(index.to_be_bytes())
.update(message_hash.to_bytes());
.update(message_hash.to_repr());
for item in signing_package.signing_commitments.iter() {
hasher.update(item.index.to_be_bytes());
let hiding_bytes = jubjub::AffinePoint::from(item.hiding).to_bytes();
let hiding_bytes = item.hiding.to_bytes();
hasher.update(hiding_bytes);
let binding_bytes = jubjub::AffinePoint::from(item.binding).to_bytes();
let binding_bytes = item.binding.to_bytes();
hasher.update(binding_bytes);
}
@ -500,11 +508,11 @@ fn gen_rho_i(index: u64, signing_package: &SigningPackage) -> Scalar {
/// Generates the group commitment which is published as part of the joint
/// Schnorr signature.
fn gen_group_commitment(
signing_package: &SigningPackage,
bindings: &HashMap<u64, Scalar>,
) -> Result<GroupCommitment, &'static str> {
let identity = jubjub::ExtendedPoint::identity();
fn gen_group_commitment<S: SpendAuth>(
signing_package: &SigningPackage<S>,
bindings: &HashMap<u64, S::Scalar>,
) -> Result<GroupCommitment<S>, &'static str> {
let identity = S::Point::identity();
let mut accumulator = identity;
for commitment in signing_package.signing_commitments.iter() {
@ -520,18 +528,18 @@ fn gen_group_commitment(
accumulator += commitment.hiding + (commitment.binding * rho_i)
}
Ok(GroupCommitment(jubjub::AffinePoint::from(accumulator)))
Ok(GroupCommitment(accumulator.to_affine()))
}
/// Generates the challenge as is required for Schnorr signatures.
fn gen_challenge(
signing_package: &SigningPackage,
group_commitment: &GroupCommitment,
group_public: &VerificationKey<SpendAuth>,
) -> Scalar {
let group_commitment_bytes = jubjub::AffinePoint::from(group_commitment.0).to_bytes();
fn gen_challenge<S: SpendAuth>(
signing_package: &SigningPackage<S>,
group_commitment: &GroupCommitment<S>,
group_public: &VerificationKey<S>,
) -> S::Scalar {
let group_commitment_bytes = group_commitment.0.to_bytes();
HStar::default()
HStar::<S>::default()
.update(group_commitment_bytes)
.update(group_public.bytes.bytes)
.update(signing_package.message.as_slice())
@ -539,21 +547,21 @@ fn gen_challenge(
}
/// Generates the lagrange coefficient for the i'th participant.
fn gen_lagrange_coeff(
fn gen_lagrange_coeff<S: SpendAuth>(
signer_index: u64,
signing_package: &SigningPackage,
) -> Result<Scalar, &'static str> {
let mut num = Scalar::one();
let mut den = Scalar::one();
signing_package: &SigningPackage<S>,
) -> Result<S::Scalar, &'static str> {
let mut num = S::Scalar::one();
let mut den = S::Scalar::one();
for commitment in signing_package.signing_commitments.iter() {
if commitment.index == signer_index {
continue;
}
num *= Scalar::from(commitment.index as u64);
den *= Scalar::from(commitment.index as u64) - Scalar::from(signer_index as u64);
num *= S::Scalar::from(commitment.index as u64);
den *= S::Scalar::from(commitment.index as u64) - S::Scalar::from(signer_index as u64);
}
if den == Scalar::zero() {
if den == S::Scalar::zero() {
return Err("Duplicate shares provided");
}
@ -571,12 +579,12 @@ fn gen_lagrange_coeff(
///
/// Assumes the participant has already determined which nonce corresponds with
/// the commitment that was assigned by the coordinator in the SigningPackage.
pub fn sign(
signing_package: &SigningPackage,
participant_nonces: SigningNonces,
share_package: &SharePackage,
) -> Result<SignatureShare, &'static str> {
let mut bindings: HashMap<u64, Scalar> =
pub fn sign<S: SpendAuth>(
signing_package: &SigningPackage<S>,
participant_nonces: SigningNonces<S>,
share_package: &SharePackage<S>,
) -> Result<SignatureShare<S>, &'static str> {
let mut bindings: HashMap<u64, S::Scalar> =
HashMap::with_capacity(signing_package.signing_commitments.len());
for comm in signing_package.signing_commitments.iter() {
@ -599,7 +607,7 @@ pub fn sign(
.ok_or("No matching binding!")?;
// The Schnorr signature share
let signature: Scalar = participant_nonces.hiding
let signature: S::Scalar = participant_nonces.hiding
+ (participant_nonces.binding * participant_rho_i)
+ (lambda_i * share_package.share.value.0 * challenge);
@ -624,12 +632,12 @@ pub fn sign(
/// signature, if the coordinator themselves is a signer and misbehaves, they
/// can avoid that step. However, at worst, this results in a denial of
/// service attack due to publishing an invalid signature.
pub fn aggregate(
signing_package: &SigningPackage,
signing_shares: &[SignatureShare],
pubkeys: &PublicKeyPackage,
) -> Result<Signature<SpendAuth>, &'static str> {
let mut bindings: HashMap<u64, Scalar> =
pub fn aggregate<S: SpendAuth>(
signing_package: &SigningPackage<S>,
signing_shares: &[SignatureShare<S>],
pubkeys: &PublicKeyPackage<S>,
) -> Result<Signature<S>, &'static str> {
let mut bindings: HashMap<u64, S::Scalar> =
HashMap::with_capacity(signing_package.signing_commitments.len());
for comm in signing_package.signing_commitments.iter() {
@ -658,14 +666,14 @@ pub fn aggregate(
// The aggregation of the signature shares by summing them up, resulting in
// a plain Schnorr signature.
let mut z = Scalar::zero();
let mut z = S::Scalar::zero();
for signature_share in signing_shares {
z += signature_share.signature.0;
}
Ok(Signature {
r_bytes: jubjub::AffinePoint::from(group_commitment.0).to_bytes(),
s_bytes: z.to_bytes(),
r_bytes: group_commitment.0.to_bytes().as_ref().try_into().unwrap(),
s_bytes: z.to_repr().as_ref().try_into().unwrap(),
_marker: PhantomData,
})
}
@ -673,35 +681,37 @@ pub fn aggregate(
#[cfg(test)]
mod tests {
use super::*;
use crate::{private::Sealed, sapling};
use jubjub::Scalar;
use rand::thread_rng;
fn reconstruct_secret(shares: Vec<Share>) -> Result<Scalar, &'static str> {
fn reconstruct_secret<S: SpendAuth>(shares: Vec<Share<S>>) -> Result<S::Scalar, &'static str> {
let numshares = shares.len();
if numshares < 1 {
return Err("No shares provided");
}
let mut lagrange_coeffs: Vec<Scalar> = Vec::with_capacity(numshares as usize);
let mut lagrange_coeffs: Vec<S::Scalar> = Vec::with_capacity(numshares as usize);
for i in 0..numshares {
let mut num = Scalar::one();
let mut den = Scalar::one();
let mut num = S::Scalar::one();
let mut den = S::Scalar::one();
for j in 0..numshares {
if j == i {
continue;
}
num *= Scalar::from(shares[j].receiver_index as u64);
den *= Scalar::from(shares[j].receiver_index as u64)
- Scalar::from(shares[i].receiver_index as u64);
num *= S::Scalar::from(shares[j].receiver_index as u64);
den *= S::Scalar::from(shares[j].receiver_index as u64)
- S::Scalar::from(shares[i].receiver_index as u64);
}
if den == Scalar::zero() {
if den == S::Scalar::zero() {
return Err("Duplicate shares provided");
}
lagrange_coeffs.push(num * den.invert().unwrap());
}
let mut secret = Scalar::zero();
let mut secret = S::Scalar::zero();
for i in 0..numshares {
secret += lagrange_coeffs[i] * shares[i].value.0;
@ -720,9 +730,9 @@ mod tests {
rng.fill_bytes(&mut bytes);
let secret = Secret(Scalar::from_bytes_wide(&bytes));
let _ = SpendAuth::basepoint() * secret.0;
let _ = sapling::SpendAuth::basepoint() * secret.0;
let shares = generate_shares(&secret, 5, 3, rng).unwrap();
let shares = generate_shares::<_, sapling::SpendAuth>(&secret, 5, 3, rng).unwrap();
for share in shares.iter() {
assert_eq!(verify_share(&share), Ok(()));

27
src/hash.rs
View File

@ -8,25 +8,32 @@
// - Deirdre Connolly <deirdre@zfnd.org>
// - Henry de Valence <hdevalence@hdevalence.ca>
use blake2b_simd::{Params, State};
use jubjub::Scalar;
use std::marker::PhantomData;
/// Provides H^star, the hash-to-scalar function used by RedJubjub.
pub struct HStar {
use blake2b_simd::{Params, State};
use crate::{private::SealedScalar, SigType};
/// Provides H^star, the hash-to-scalar function used by RedDSA.
pub struct HStar<T: SigType> {
state: State,
_marker: PhantomData<T>,
}
impl Default for HStar {
impl<T: SigType> Default for HStar<T> {
fn default() -> Self {
let state = Params::new()
.hash_length(64)
.personal(b"Zcash_RedJubjubH")
.personal(T::H_STAR_PERSONALIZATION)
.to_state();
Self { state }
Self {
state,
_marker: PhantomData::default(),
}
}
}
impl HStar {
impl<T: SigType> HStar<T> {
/// Add `data` to the hash, and return `Self` for chaining.
pub fn update(&mut self, data: impl AsRef<[u8]>) -> &mut Self {
self.state.update(data.as_ref());
@ -34,7 +41,7 @@ impl HStar {
}
/// Consume `self` to compute the hash output.
pub fn finalize(&self) -> Scalar {
Scalar::from_bytes_wide(self.state.finalize().as_array())
pub fn finalize(&self) -> T::Scalar {
T::Scalar::from_bytes_wide(self.state.finalize().as_array())
}
}

61
src/lib.rs
View File

@ -17,13 +17,14 @@ mod error;
pub mod frost;
mod hash;
mod messages;
pub mod sapling;
mod scalar_mul;
pub(crate) mod signature;
mod signing_key;
mod verification_key;
/// An element of the JubJub scalar field used for randomization of public and secret keys.
pub type Randomizer = jubjub::Scalar;
/// An element of the protocol's scalar field used for randomization of public and secret keys.
pub type Randomizer<S> = <S as private::Sealed<S>>::Scalar;
use hash::HStar;
@ -32,11 +33,11 @@ pub use signature::Signature;
pub use signing_key::SigningKey;
pub use verification_key::{VerificationKey, VerificationKeyBytes};
/// Abstracts over different RedJubJub parameter choices, [`Binding`]
/// Abstracts over different RedDSA parameter choices, [`Binding`]
/// and [`SpendAuth`].
///
/// As described [at the end of §5.4.6][concretereddsa] of the Zcash
/// protocol specification, the generator used in RedJubjub is left as
/// protocol specification, the generator used in RedDSA is left as
/// an unspecified parameter, chosen differently for each of
/// `BindingSig` and `SpendAuthSig`.
///
@ -44,31 +45,57 @@ pub use verification_key::{VerificationKey, VerificationKeyBytes};
/// parameter.
///
/// [concretereddsa]: https://zips.z.cash/protocol/protocol.pdf#concretereddsa
pub trait SigType: private::Sealed {}
pub trait SigType: private::Sealed<Self> {}
/// A type variable corresponding to Zcash's `BindingSig`.
#[derive(Copy, Clone, PartialEq, Eq, Debug)]
pub enum Binding {}
impl SigType for Binding {}
/// A trait corresponding to `BindingSig` in Zcash protocols.
pub trait Binding: SigType {}
/// A type variable corresponding to Zcash's `SpendAuthSig`.
#[derive(Copy, Clone, PartialEq, Eq, Debug)]
pub enum SpendAuth {}
impl SigType for SpendAuth {}
/// A trait corresponding to `SpendAuthSig` in Zcash protocols.
pub trait SpendAuth: SigType {}
pub(crate) mod private {
use super::*;
pub trait Sealed: Copy + Clone + Eq + PartialEq + std::fmt::Debug {
fn basepoint() -> jubjub::ExtendedPoint;
pub trait SealedScalar {
fn from_bytes_wide(bytes: &[u8; 64]) -> Self;
fn from_raw(val: [u64; 4]) -> Self;
}
impl Sealed for Binding {
impl SealedScalar for jubjub::Scalar {
fn from_bytes_wide(bytes: &[u8; 64]) -> Self {
jubjub::Scalar::from_bytes_wide(bytes)
}
fn from_raw(val: [u64; 4]) -> Self {
jubjub::Scalar::from_raw(val)
}
}
pub trait Sealed<T: SigType>:
Copy + Clone + Default + Eq + PartialEq + std::fmt::Debug
{
const H_STAR_PERSONALIZATION: &'static [u8; 16];
type Scalar: group::ff::PrimeField + SealedScalar;
type Point: group::cofactor::CofactorCurve<Scalar = Self::Scalar>
+ scalar_mul::VartimeMultiscalarMul<Scalar = Self::Scalar, Point = Self::Point>;
fn basepoint() -> T::Point;
}
impl Sealed<sapling::Binding> for sapling::Binding {
const H_STAR_PERSONALIZATION: &'static [u8; 16] = b"Zcash_RedJubjubH";
type Point = jubjub::ExtendedPoint;
type Scalar = jubjub::Scalar;
fn basepoint() -> jubjub::ExtendedPoint {
jubjub::AffinePoint::from_bytes(constants::BINDINGSIG_BASEPOINT_BYTES)
.unwrap()
.into()
}
}
impl Sealed for SpendAuth {
impl Sealed<sapling::SpendAuth> for sapling::SpendAuth {
const H_STAR_PERSONALIZATION: &'static [u8; 16] = b"Zcash_RedJubjubH";
type Point = jubjub::ExtendedPoint;
type Scalar = jubjub::Scalar;
fn basepoint() -> jubjub::ExtendedPoint {
jubjub::AffinePoint::from_bytes(constants::SPENDAUTHSIG_BASEPOINT_BYTES)
.unwrap()

43
src/messages.rs
View File

@ -3,9 +3,10 @@
//! [RFC-001]: https://github.com/ZcashFoundation/redjubjub/blob/main/rfcs/0001-messages.md
use crate::{frost, signature, verification_key, SpendAuth};
use group::GroupEncoding;
use serde::{Deserialize, Serialize};
use std::collections::BTreeMap;
use std::{collections::BTreeMap, convert::TryInto};
#[cfg(test)]
use proptest_derive::Arbitrary;
@ -34,9 +35,12 @@ pub struct Secret([u8; 32]);
#[cfg_attr(test, derive(Arbitrary))]
pub struct Commitment([u8; 32]);
impl From<frost::Commitment> for Commitment {
fn from(value: frost::Commitment) -> Commitment {
Commitment(jubjub::AffinePoint::from(value.0).to_bytes())
impl<S: SpendAuth> From<frost::Commitment<S>> for Commitment {
fn from(value: frost::Commitment<S>) -> Commitment {
// TODO(str4d): We need to either enforce somewhere that these messages are only
// used with curves that have 32-byte encodings, or make the curve a parameter of
// the encoding. This will be easier once const_evaluatable_checked stabilises.
Commitment(value.0.to_bytes().as_ref().try_into().unwrap())
}
}
@ -56,14 +60,14 @@ pub struct GroupCommitment([u8; 32]);
#[cfg_attr(test, derive(Arbitrary))]
pub struct SignatureResponse([u8; 32]);
impl From<signature::Signature<SpendAuth>> for SignatureResponse {
fn from(value: signature::Signature<SpendAuth>) -> SignatureResponse {
impl<S: SpendAuth> From<signature::Signature<S>> for SignatureResponse {
fn from(value: signature::Signature<S>) -> SignatureResponse {
SignatureResponse(value.s_bytes)
}
}
impl From<signature::Signature<SpendAuth>> for GroupCommitment {
fn from(value: signature::Signature<SpendAuth>) -> GroupCommitment {
impl<S: SpendAuth> From<signature::Signature<S>> for GroupCommitment {
fn from(value: signature::Signature<S>) -> GroupCommitment {
GroupCommitment(value.r_bytes)
}
}
@ -76,8 +80,8 @@ impl From<signature::Signature<SpendAuth>> for GroupCommitment {
#[cfg_attr(test, derive(Arbitrary))]
pub struct VerificationKey([u8; 32]);
impl From<verification_key::VerificationKey<SpendAuth>> for VerificationKey {
fn from(value: verification_key::VerificationKey<SpendAuth>) -> VerificationKey {
impl<S: SpendAuth> From<verification_key::VerificationKey<S>> for VerificationKey {
fn from(value: verification_key::VerificationKey<S>) -> VerificationKey {
VerificationKey(<[u8; 32]>::from(value))
}
}
@ -220,19 +224,22 @@ pub struct SigningPackage {
message: Vec<u8>,
}
impl From<SigningPackage> for frost::SigningPackage {
fn from(value: SigningPackage) -> frost::SigningPackage {
impl<S: SpendAuth> From<SigningPackage> for frost::SigningPackage<S> {
fn from(value: SigningPackage) -> frost::SigningPackage<S> {
let mut signing_commitments = Vec::new();
for (participant_id, commitment) in &value.signing_commitments {
// TODO(str4d): This will be so much nicer once const_evaluatable_checked
// stabilises, and `GroupEncoding::from_bytes` can take the array directly.
let mut hiding_repr = <S::Point as GroupEncoding>::Repr::default();
let mut binding_repr = <S::Point as GroupEncoding>::Repr::default();
hiding_repr.as_mut().copy_from_slice(&commitment.hiding.0);
binding_repr.as_mut().copy_from_slice(&commitment.binding.0);
let s = frost::SigningCommitments {
index: u64::from(*participant_id),
// TODO: The `from_bytes()` response is a `CtOption` so we have to `unwrap()`
hiding: jubjub::ExtendedPoint::from(
jubjub::AffinePoint::from_bytes(commitment.hiding.0).unwrap(),
),
binding: jubjub::ExtendedPoint::from(
jubjub::AffinePoint::from_bytes(commitment.binding.0).unwrap(),
),
hiding: S::Point::from_bytes(&hiding_repr).unwrap(),
binding: S::Point::from_bytes(&binding_repr).unwrap(),
};
signing_commitments.push(s);
}

36
src/messages/tests/integration.rs
View File

@ -4,7 +4,7 @@ use crate::{
validate::{MsgErr, Validate},
*,
},
verification_key,
sapling, verification_key,
};
use rand::thread_rng;
use serde_json;
@ -53,8 +53,12 @@ fn validate_sender_receiver() {
#[test]
fn validate_sharepackage() {
let setup = basic_setup();
let (mut shares, _pubkeys) =
frost::keygen_with_dealer(setup.num_signers, setup.threshold, setup.rng.clone()).unwrap();
let (mut shares, _pubkeys) = frost::keygen_with_dealer::<_, sapling::SpendAuth>(
setup.num_signers,
setup.threshold,
setup.rng.clone(),
)
.unwrap();
let header = create_valid_header(setup.signer1, setup.signer2);
@ -130,8 +134,12 @@ fn validate_sharepackage() {
fn serialize_sharepackage() {
let setup = basic_setup();
let (mut shares, _pubkeys) =
frost::keygen_with_dealer(setup.num_signers, setup.threshold, setup.rng.clone()).unwrap();
let (mut shares, _pubkeys) = frost::keygen_with_dealer::<_, sapling::SpendAuth>(
setup.num_signers,
setup.threshold,
setup.rng.clone(),
)
.unwrap();
let header = create_valid_header(setup.dealer, setup.signer1);
@ -196,7 +204,8 @@ fn serialize_sharepackage() {
fn validate_signingcommitments() {
let mut setup = basic_setup();
let (_nonce, commitment) = frost::preprocess(1, u64::from(setup.signer1), &mut setup.rng);
let (_nonce, commitment) =
frost::preprocess::<_, sapling::SpendAuth>(1, u64::from(setup.signer1), &mut setup.rng);
let header = create_valid_header(setup.aggregator, setup.signer2);
@ -236,7 +245,8 @@ fn validate_signingcommitments() {
fn serialize_signingcommitments() {
let mut setup = basic_setup();
let (_nonce, commitment) = frost::preprocess(1, u64::from(setup.signer1), &mut setup.rng);
let (_nonce, commitment) =
frost::preprocess::<_, sapling::SpendAuth>(1, u64::from(setup.signer1), &mut setup.rng);
let header = create_valid_header(setup.aggregator, setup.signer1);
@ -724,16 +734,16 @@ fn basic_setup() -> Setup {
}
}
fn full_setup() -> (Setup, signature::Signature<SpendAuth>) {
fn full_setup() -> (Setup, signature::Signature<sapling::SpendAuth>) {
let mut setup = basic_setup();
// aggregator creates the shares and pubkeys for this round
let (shares, pubkeys) =
frost::keygen_with_dealer(setup.num_signers, setup.threshold, setup.rng.clone()).unwrap();
let mut nonces: std::collections::HashMap<u64, Vec<frost::SigningNonces>> =
let mut nonces: std::collections::HashMap<u64, Vec<frost::SigningNonces<sapling::SpendAuth>>> =
std::collections::HashMap::with_capacity(setup.threshold as usize);
let mut commitments: Vec<frost::SigningCommitments> =
let mut commitments: Vec<frost::SigningCommitments<sapling::SpendAuth>> =
Vec::with_capacity(setup.threshold as usize);
// aggregator generates nonces and signing commitments for each participant.
@ -744,7 +754,7 @@ fn full_setup() -> (Setup, signature::Signature<SpendAuth>) {
}
// aggregator generates a signing package
let mut signature_shares: Vec<frost::SignatureShare> =
let mut signature_shares: Vec<frost::SignatureShare<sapling::SpendAuth>> =
Vec::with_capacity(setup.threshold as usize);
let message = "message to sign".as_bytes().to_vec();
let signing_package = frost::SigningPackage {
@ -770,7 +780,7 @@ fn full_setup() -> (Setup, signature::Signature<SpendAuth>) {
}
fn generate_share_commitment(
shares: &Vec<frost::SharePackage>,
shares: &Vec<frost::SharePackage<sapling::SpendAuth>>,
participants: Vec<ParticipantId>,
) -> BTreeMap<ParticipantId, Commitment> {
assert_eq!(shares.len(), participants.len());
@ -787,7 +797,7 @@ fn generate_share_commitment(
}
fn create_signing_commitments(
commitments: Vec<frost::SigningCommitments>,
commitments: Vec<frost::SigningCommitments<sapling::SpendAuth>>,
participants: Vec<ParticipantId>,
) -> BTreeMap<ParticipantId, SigningCommitments> {
assert_eq!(commitments.len(), participants.len());

27
src/sapling.rs Normal file
View File

@ -0,0 +1,27 @@
//! Signature types for the Sapling protocol.
use super::SigType;
/// A type variable corresponding to Zcash's Sapling `SpendAuthSig`.
#[derive(Copy, Clone, PartialEq, Eq, Debug)]
pub enum SpendAuth {}
// This should not exist, but is necessary to use zeroize::DefaultIsZeroes.
impl Default for SpendAuth {
fn default() -> Self {
unimplemented!()
}
}
impl SigType for SpendAuth {}
impl super::SpendAuth for SpendAuth {}
/// A type variable corresponding to Zcash's Sapling `BindingSig`.
#[derive(Copy, Clone, PartialEq, Eq, Debug)]
pub enum Binding {}
// This should not exist, but is necessary to use zeroize::DefaultIsZeroes.
impl Default for Binding {
fn default() -> Self {
unimplemented!()
}
}
impl SigType for Binding {}
impl super::Binding for Binding {}

15
src/scalar_mul.rs
View File

@ -12,7 +12,7 @@
use std::{borrow::Borrow, fmt::Debug};
use jubjub::*;
use jubjub::{ExtendedNielsPoint, ExtendedPoint};
pub trait NonAdjacentForm {
fn non_adjacent_form(&self, w: usize) -> [i8; 256];
@ -20,7 +20,9 @@ pub trait NonAdjacentForm {
/// A trait for variable-time multiscalar multiplication without precomputation.
pub trait VartimeMultiscalarMul {
/// The type of point being multiplied, e.g., `AffinePoint`.
/// The type of scalar being multiplied, e.g., `jubjub::Scalar`.
type Scalar;
/// The type of point being multiplied, e.g., `jubjub::AffinePoint`.
type Point;
/// Given an iterator of public scalars and an iterator of
@ -32,7 +34,7 @@ pub trait VartimeMultiscalarMul {
fn optional_multiscalar_mul<I, J>(scalars: I, points: J) -> Option<Self::Point>
where
I: IntoIterator,
I::Item: Borrow<Scalar>,
I::Item: Borrow<Self::Scalar>,
J: IntoIterator<Item = Option<Self::Point>>;
/// Given an iterator of public scalars and an iterator of
@ -46,7 +48,7 @@ pub trait VartimeMultiscalarMul {
fn vartime_multiscalar_mul<I, J>(scalars: I, points: J) -> Self::Point
where
I: IntoIterator,
I::Item: Borrow<Scalar>,
I::Item: Borrow<Self::Scalar>,
J: IntoIterator,
J::Item: Borrow<Self::Point>,
Self::Point: Clone,
@ -59,7 +61,7 @@ pub trait VartimeMultiscalarMul {
}
}
impl NonAdjacentForm for Scalar {
impl NonAdjacentForm for jubjub::Scalar {
/// Compute a width-\\(w\\) "Non-Adjacent Form" of this scalar.
///
/// Thanks to curve25519-dalek
@ -155,13 +157,14 @@ impl<'a> From<&'a ExtendedPoint> for LookupTable5<ExtendedNielsPoint> {
}
impl VartimeMultiscalarMul for ExtendedPoint {
type Scalar = jubjub::Scalar;
type Point = ExtendedPoint;
#[allow(non_snake_case)]
fn optional_multiscalar_mul<I, J>(scalars: I, points: J) -> Option<ExtendedPoint>
where
I: IntoIterator,
I::Item: Borrow<Scalar>,
I::Item: Borrow<Self::Scalar>,
J: IntoIterator<Item = Option<ExtendedPoint>>,
{
let nafs: Vec<_> = scalars

4
src/signature.rs
View File

@ -7,12 +7,12 @@
// Authors:
// - Henry de Valence <hdevalence@hdevalence.ca>
//! Redjubjub Signatures
//! RedDSA Signatures
use std::marker::PhantomData;
use crate::SigType;
/// A RedJubJub signature.
/// A RedDSA signature.
#[derive(Copy, Clone, Debug, Eq, PartialEq)]
#[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
pub struct Signature<T: SigType> {

37
src/signing_key.rs
View File

@ -13,19 +13,21 @@ use std::{
marker::PhantomData,
};
use crate::{Error, Randomizer, SigType, Signature, SpendAuth, VerificationKey};
use crate::{
private::SealedScalar, Error, Randomizer, SigType, Signature, SpendAuth, VerificationKey,
};
use jubjub::Scalar;
use group::{ff::PrimeField, GroupEncoding};
use rand_core::{CryptoRng, RngCore};
/// A RedJubJub signing key.
/// A RedDSA signing key.
#[derive(Copy, Clone, Debug)]
#[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
#[cfg_attr(feature = "serde", serde(try_from = "SerdeHelper"))]
#[cfg_attr(feature = "serde", serde(into = "SerdeHelper"))]
#[cfg_attr(feature = "serde", serde(bound = "T: SigType"))]
pub struct SigningKey<T: SigType> {
sk: Scalar,
sk: T::Scalar,
pk: VerificationKey<T>,
}
@ -37,7 +39,7 @@ impl<'a, T: SigType> From<&'a SigningKey<T>> for VerificationKey<T> {
impl<T: SigType> From<SigningKey<T>> for [u8; 32] {
fn from(sk: SigningKey<T>) -> [u8; 32] {
sk.sk.to_bytes()
sk.sk.to_repr().as_ref().try_into().unwrap()
}
}
@ -46,7 +48,9 @@ impl<T: SigType> TryFrom<[u8; 32]> for SigningKey<T> {
fn try_from(bytes: [u8; 32]) -> Result<Self, Self::Error> {
// XXX-jubjub: this should not use CtOption
let maybe_sk = Scalar::from_bytes(&bytes);
let mut repr = <T::Scalar as PrimeField>::Repr::default();
repr.as_mut().copy_from_slice(&bytes);
let maybe_sk = T::Scalar::from_repr(repr);
if maybe_sk.is_some().into() {
let sk = maybe_sk.unwrap();
let pk = VerificationKey::from(&sk);
@ -74,10 +78,10 @@ impl<T: SigType> From<SigningKey<T>> for SerdeHelper {
}
}
impl SigningKey<SpendAuth> {
impl<T: SpendAuth> SigningKey<T> {
/// Randomize this public key with the given `randomizer`.
pub fn randomize(&self, randomizer: &Randomizer) -> SigningKey<SpendAuth> {
let sk = &self.sk + randomizer;
pub fn randomize(&self, randomizer: &Randomizer<T>) -> SigningKey<T> {
let sk = self.sk + randomizer;
let pk = VerificationKey::from(&sk);
SigningKey { sk, pk }
}
@ -89,7 +93,7 @@ impl<T: SigType> SigningKey<T> {
let sk = {
let mut bytes = [0; 64];
rng.fill_bytes(&mut bytes);
Scalar::from_bytes_wide(&bytes)
T::Scalar::from_bytes_wide(&bytes)
};
let pk = VerificationKey::from(&sk);
SigningKey { sk, pk }
@ -101,28 +105,31 @@ impl<T: SigType> SigningKey<T> {
use crate::HStar;
// Choose a byte sequence uniformly at random of length
// (\ell_H + 128)/8 bytes. For RedJubjub this is (512 + 128)/8 = 80.
// (\ell_H + 128)/8 bytes. For RedJubjub and RedPallas this is
// (512 + 128)/8 = 80.
let random_bytes = {
let mut bytes = [0; 80];
rng.fill_bytes(&mut bytes);
bytes
};
let nonce = HStar::default()
let nonce = HStar::<T>::default()
.update(&random_bytes[..])
.update(&self.pk.bytes.bytes[..]) // XXX ugly
.update(msg)
.finalize();
let r_bytes = jubjub::AffinePoint::from(&T::basepoint() * &nonce).to_bytes();
let r: T::Point = T::basepoint() * nonce;
let r_bytes: [u8; 32] = r.to_bytes().as_ref().try_into().unwrap();
let c = HStar::default()
let c = HStar::<T>::default()
.update(&r_bytes[..])
.update(&self.pk.bytes.bytes[..]) // XXX ugly
.update(msg)
.finalize();
let s_bytes = (&nonce + &(&c * &self.sk)).to_bytes();
let s = nonce + (c * self.sk);
let s_bytes = s.to_repr().as_ref().try_into().unwrap();
Signature {
r_bytes,

51
src/verification_key.rs
View File

@ -9,17 +9,17 @@
// - Henry de Valence <hdevalence@hdevalence.ca>
use std::{
convert::TryFrom,
convert::{TryFrom, TryInto},
hash::{Hash, Hasher},
marker::PhantomData,
};
use jubjub::Scalar;
use group::{cofactor::CofactorGroup, ff::PrimeField, GroupEncoding};
use crate::{Error, Randomizer, SigType, Signature, SpendAuth};
/// A refinement type for `[u8; 32]` indicating that the bytes represent
/// an encoding of a RedJubJub verification key.
/// an encoding of a RedDSA verification key.
///
/// This is useful for representing a compressed verification key; the
/// [`VerificationKey`] type in this library holds other decompressed state
@ -53,7 +53,7 @@ impl<T: SigType> Hash for VerificationKeyBytes<T> {
}
}
/// A valid RedJubJub verification key.
/// A valid RedDSA verification key.
///
/// This type holds decompressed state used in signature verification; if the
/// verification key may not be used immediately, it is probably better to use
@ -72,8 +72,7 @@ impl<T: SigType> Hash for VerificationKeyBytes<T> {
#[cfg_attr(feature = "serde", serde(into = "VerificationKeyBytes<T>"))]
#[cfg_attr(feature = "serde", serde(bound = "T: SigType"))]
pub struct VerificationKey<T: SigType> {
// XXX-jubjub: this should just be Point
pub(crate) point: jubjub::ExtendedPoint,
pub(crate) point: T::Point,
pub(crate) bytes: VerificationKeyBytes<T>,
}
@ -96,9 +95,11 @@ impl<T: SigType> TryFrom<VerificationKeyBytes<T>> for VerificationKey<T> {
// XXX-jubjub: this should not use CtOption
// XXX-jubjub: this takes ownership of bytes, while Fr doesn't.
// This checks that the encoding is canonical...
let maybe_point = jubjub::AffinePoint::from_bytes(bytes.bytes);
let mut repr = <T::Point as GroupEncoding>::Repr::default();
repr.as_mut().copy_from_slice(&bytes.bytes);
let maybe_point = T::Point::from_bytes(&repr);
if maybe_point.is_some().into() {
let point: jubjub::ExtendedPoint = maybe_point.unwrap().into();
let point = maybe_point.unwrap();
// Note that small-order verification keys (including the identity) are not
// rejected here. Previously they were rejected, but this was a bug as the
// RedDSA specification allows them. Zcash Sapling rejects small-order points
@ -116,20 +117,18 @@ impl<T: SigType> TryFrom<[u8; 32]> for VerificationKey<T> {
type Error = Error;
fn try_from(bytes: [u8; 32]) -> Result<Self, Self::Error> {
use std::convert::TryInto;
VerificationKeyBytes::from(bytes).try_into()
}
}
impl VerificationKey<SpendAuth> {
impl<T: SpendAuth> VerificationKey<T> {
/// Randomize this verification key with the given `randomizer`.
///
/// Randomization is only supported for `SpendAuth` keys.
pub fn randomize(&self, randomizer: &Randomizer) -> VerificationKey<SpendAuth> {
use crate::private::Sealed;
let point = &self.point + &(&SpendAuth::basepoint() * randomizer);
pub fn randomize(&self, randomizer: &Randomizer<T>) -> VerificationKey<T> {
let point = self.point + (T::basepoint() * randomizer);
let bytes = VerificationKeyBytes {
bytes: jubjub::AffinePoint::from(&point).to_bytes(),
bytes: point.to_bytes().as_ref().try_into().unwrap(),
_marker: PhantomData,
};
VerificationKey { bytes, point }
@ -137,10 +136,10 @@ impl VerificationKey<SpendAuth> {
}
impl<T: SigType> VerificationKey<T> {
pub(crate) fn from(s: &Scalar) -> VerificationKey<T> {
let point = &T::basepoint() * s;
pub(crate) fn from(s: &T::Scalar) -> VerificationKey<T> {
let point = T::basepoint() * s;
let bytes = VerificationKeyBytes {
bytes: jubjub::AffinePoint::from(&point).to_bytes(),
bytes: point.to_bytes().as_ref().try_into().unwrap(),
_marker: PhantomData,
};
VerificationKey { bytes, point }
@ -150,7 +149,7 @@ impl<T: SigType> VerificationKey<T> {
// This is similar to impl signature::Verifier but without boxed errors
pub fn verify(&self, msg: &[u8], signature: &Signature<T>) -> Result<(), Error> {
use crate::HStar;
let c = HStar::default()
let c = HStar::<T>::default()
.update(&signature.r_bytes[..])
.update(&self.bytes.bytes[..]) // XXX ugly
.update(msg)
@ -163,14 +162,16 @@ impl<T: SigType> VerificationKey<T> {
pub(crate) fn verify_prehashed(
&self,
signature: &Signature<T>,
c: Scalar,
c: T::Scalar,
) -> Result<(), Error> {
let r = {
// XXX-jubjub: should not use CtOption here
// XXX-jubjub: inconsistent ownership in from_bytes
let maybe_point = jubjub::AffinePoint::from_bytes(signature.r_bytes);
let mut repr = <T::Point as GroupEncoding>::Repr::default();
repr.as_mut().copy_from_slice(&signature.r_bytes);
let maybe_point = T::Point::from_bytes(&repr);
if maybe_point.is_some().into() {
jubjub::ExtendedPoint::from(maybe_point.unwrap())
maybe_point.unwrap()
} else {
return Err(Error::InvalidSignature);
}
@ -178,7 +179,9 @@ impl<T: SigType> VerificationKey<T> {
let s = {
// XXX-jubjub: should not use CtOption here
let maybe_scalar = Scalar::from_bytes(&signature.s_bytes);
let mut repr = <T::Scalar as PrimeField>::Repr::default();
repr.as_mut().copy_from_slice(&signature.s_bytes);
let maybe_scalar = T::Scalar::from_repr(repr);
if maybe_scalar.is_some().into() {
maybe_scalar.unwrap()
} else {
@ -189,8 +192,8 @@ impl<T: SigType> VerificationKey<T> {
// XXX rewrite as normal double scalar mul
// Verify check is h * ( - s * B + R + c * A) == 0
// h * ( s * B - c * A - R) == 0
let sB = &T::basepoint() * &s;
let cA = &self.point * &c;
let sB = T::basepoint() * s;
let cA = self.point * c;
let check = sB - cA - r;
if check.is_small_order().into() {

32
tests/batch.rs
View File

@ -5,13 +5,13 @@ use reddsa::*;
#[test]
fn spendauth_batch_verify() {
let mut rng = thread_rng();
let mut batch = batch::Verifier::new();
let mut batch = batch::Verifier::<_, sapling::Binding>::new();
for _ in 0..32 {
let sk = SigningKey::<SpendAuth>::new(&mut rng);
let sk = SigningKey::<sapling::SpendAuth>::new(&mut rng);
let vk = VerificationKey::from(&sk);
let msg = b"BatchVerifyTest";
let sig = sk.sign(&mut rng, &msg[..]);
batch.queue((vk.into(), sig, msg));
batch.queue(batch::Item::from_spendauth(vk.into(), sig, msg));
}
assert!(batch.verify(rng).is_ok());
}
@ -19,13 +19,13 @@ fn spendauth_batch_verify() {
#[test]
fn binding_batch_verify() {
let mut rng = thread_rng();
let mut batch = batch::Verifier::new();
let mut batch = batch::Verifier::<sapling::SpendAuth, _>::new();
for _ in 0..32 {
let sk = SigningKey::<Binding>::new(&mut rng);
let sk = SigningKey::<sapling::Binding>::new(&mut rng);
let vk = VerificationKey::from(&sk);
let msg = b"BatchVerifyTest";
let sig = sk.sign(&mut rng, &msg[..]);
batch.queue((vk.into(), sig, msg));
batch.queue(batch::Item::from_binding(vk.into(), sig, msg));
}
assert!(batch.verify(rng).is_ok());
}
@ -35,20 +35,20 @@ fn alternating_batch_verify() {
let mut rng = thread_rng();
let mut batch = batch::Verifier::new();
for i in 0..32 {
let item: batch::Item = match i % 2 {
let item = match i % 2 {
0 => {
let sk = SigningKey::<SpendAuth>::new(&mut rng);
let sk = SigningKey::<sapling::SpendAuth>::new(&mut rng);
let vk = VerificationKey::from(&sk);
let msg = b"BatchVerifyTest";
let sig = sk.sign(&mut rng, &msg[..]);
(vk.into(), sig, msg).into()
batch::Item::from_spendauth(vk.into(), sig, msg)
}
1 => {
let sk = SigningKey::<Binding>::new(&mut rng);
let sk = SigningKey::<sapling::Binding>::new(&mut rng);
let vk = VerificationKey::from(&sk);
let msg = b"BatchVerifyTest";
let sig = sk.sign(&mut rng, &msg[..]);
(vk.into(), sig, msg).into()
batch::Item::from_binding(vk.into(), sig, msg)
}
_ => unreachable!(),
};
@ -64,9 +64,9 @@ fn bad_batch_verify() {
let mut batch = batch::Verifier::new();
let mut items = Vec::new();
for i in 0..32 {
let item: batch::Item = match i % 2 {
let item = match i % 2 {
0 => {
let sk = SigningKey::<SpendAuth>::new(&mut rng);
let sk = SigningKey::<sapling::SpendAuth>::new(&mut rng);
let vk = VerificationKey::from(&sk);
let msg = b"BatchVerifyTest";
let sig = if i != bad_index {
@ -74,14 +74,14 @@ fn bad_batch_verify() {
} else {
sk.sign(&mut rng, b"bad")
};
(vk.into(), sig, msg).into()
batch::Item::from_spendauth(vk.into(), sig, msg)
}
1 => {
let sk = SigningKey::<Binding>::new(&mut rng);
let sk = SigningKey::<sapling::Binding>::new(&mut rng);
let vk = VerificationKey::from(&sk);
let msg = b"BatchVerifyTest";
let sig = sk.sign(&mut rng, &msg[..]);
(vk.into(), sig, msg).into()
batch::Item::from_binding(vk.into(), sig, msg)
}
_ => unreachable!(),
};

16
tests/bincode.rs
View File

@ -9,8 +9,8 @@ proptest! {
fn secretkey_serialization(
bytes in prop::array::uniform32(any::<u8>()),
) {
let sk_result_from = SigningKey::<SpendAuth>::try_from(bytes);
let sk_result_bincode: Result<SigningKey::<SpendAuth>, _>
let sk_result_from = SigningKey::<sapling::SpendAuth>::try_from(bytes);
let sk_result_bincode: Result<SigningKey::<sapling::SpendAuth>, _>
= bincode::deserialize(&bytes[..]);
// Check 1: both decoding methods should agree
@ -39,8 +39,8 @@ proptest! {
fn publickeybytes_serialization(
bytes in prop::array::uniform32(any::<u8>()),
) {
let pk_bytes_from = VerificationKeyBytes::<SpendAuth>::from(bytes);
let pk_bytes_bincode: VerificationKeyBytes::<SpendAuth>
let pk_bytes_from = VerificationKeyBytes::<sapling::SpendAuth>::from(bytes);
let pk_bytes_bincode: VerificationKeyBytes::<sapling::SpendAuth>
= bincode::deserialize(&bytes[..]).unwrap();
// Check 1: both decoding methods should have the same result.
@ -59,8 +59,8 @@ proptest! {
fn publickey_serialization(
bytes in prop::array::uniform32(any::<u8>()),
) {
let pk_result_try_from = VerificationKey::<SpendAuth>::try_from(bytes);
let pk_result_bincode: Result<VerificationKey::<SpendAuth>, _>
let pk_result_try_from = VerificationKey::<sapling::SpendAuth>::try_from(bytes);
let pk_result_bincode: Result<VerificationKey::<sapling::SpendAuth>, _>
= bincode::deserialize(&bytes[..]);
// Check 1: both decoding methods should have the same result
@ -93,8 +93,8 @@ proptest! {
bytes
};
let sig_bytes_from = Signature::<SpendAuth>::from(bytes);
let sig_bytes_bincode: Signature::<SpendAuth>
let sig_bytes_from = Signature::<sapling::SpendAuth>::from(bytes);
let sig_bytes_bincode: Signature::<sapling::SpendAuth>
= bincode::deserialize(&bytes[..]).unwrap();
// Check 1: both decoding methods should have the same result.

10
tests/frost.rs
View File

@ -1,7 +1,7 @@
use rand::thread_rng;
use std::collections::HashMap;
use reddsa::frost;
use reddsa::{frost, sapling};
#[test]
fn check_sign_with_dealer() {
@ -10,9 +10,10 @@ fn check_sign_with_dealer() {
let threshold = 3;
let (shares, pubkeys) = frost::keygen_with_dealer(numsigners, threshold, &mut rng).unwrap();
let mut nonces: HashMap<u64, Vec<frost::SigningNonces>> =
let mut nonces: HashMap<u64, Vec<frost::SigningNonces<sapling::SpendAuth>>> =
HashMap::with_capacity(threshold as usize);
let mut commitments: Vec<frost::SigningCommitments> = Vec::with_capacity(threshold as usize);
let mut commitments: Vec<frost::SigningCommitments<sapling::SpendAuth>> =
Vec::with_capacity(threshold as usize);
// Round 1, generating nonces and signing commitments for each participant.
for participant_index in 1..(threshold + 1) {
@ -26,7 +27,8 @@ fn check_sign_with_dealer() {
// This is what the signature aggregator / coordinator needs to do:
// - decide what message to sign
// - take one (unused) commitment per signing participant
let mut signature_shares: Vec<frost::SignatureShare> = Vec::with_capacity(threshold as usize);
let mut signature_shares: Vec<frost::SignatureShare<sapling::SpendAuth>> =
Vec::with_capacity(threshold as usize);
let message = "message to sign".as_bytes();
let signing_package = frost::SigningPackage {
message: message.to_vec(),

10
tests/librustzcash_vectors.rs
View File

@ -26,8 +26,8 @@ fn verify_librustzcash_binding() {
lazy_static! {
static ref LIBRUSTZCASH_SPENDAUTH_SIGS: [(
Vec<u8>,
Signature<SpendAuth>,
VerificationKeyBytes<SpendAuth>
Signature<sapling::SpendAuth>,
VerificationKeyBytes<sapling::SpendAuth>
); 32] = [
(
[
@ -638,7 +638,11 @@ lazy_static! {
.into(),
),
];
static ref LIBRUSTZCASH_BINDING_SIGS: [(Vec<u8>, Signature<Binding>, VerificationKeyBytes<Binding>); 32] = [
static ref LIBRUSTZCASH_BINDING_SIGS: [(
Vec<u8>,
Signature<sapling::Binding>,
VerificationKeyBytes<sapling::Binding>
); 32] = [
(
[
16, 28, 190, 75, 156, 66, 96, 79, 4, 199, 3, 195, 150, 247, 136, 198, 203, 45, 109,

10
tests/proptests.rs
View File

@ -64,7 +64,7 @@ impl<T: SigType> SignatureCase<T> {
VerificationKeyBytes::<T>::from(bytes)
};
// Check that the verification key is a valid RedJubjub verification key.
// Check that the verification key is a valid RedDSA verification key.
let pub_key = VerificationKey::try_from(pk_bytes)
.expect("The test verification key to be well-formed.");
@ -114,8 +114,8 @@ proptest! {
// Create a test case for each signature type.
let msg = b"test message for proptests";
let mut binding = SignatureCase::<Binding>::new(&mut rng, msg.to_vec());
let mut spendauth = SignatureCase::<SpendAuth>::new(&mut rng, msg.to_vec());
let mut binding = SignatureCase::<sapling::Binding>::new(&mut rng, msg.to_vec());
let mut spendauth = SignatureCase::<sapling::SpendAuth>::new(&mut rng, msg.to_vec());
// Apply tweaks to each case.
for t in &tweaks {
@ -136,10 +136,10 @@ proptest! {
// XXX-jubjub: better API for this
let mut bytes = [0; 64];
rng.fill_bytes(&mut bytes[..]);
Randomizer::from_bytes_wide(&bytes)
jubjub::Scalar::from_bytes_wide(&bytes)
};
let sk = SigningKey::<SpendAuth>::new(&mut rng);
let sk = SigningKey::<sapling::SpendAuth>::new(&mut rng);
let pk = VerificationKey::from(&sk);
let sk_r = sk.randomize(&r);

8
tests/smallorder.rs
View File

@ -9,8 +9,8 @@ fn identity_publickey_passes() {
let identity = AffinePoint::identity();
assert_eq!(<bool>::from(identity.is_small_order()), true);
let bytes = identity.to_bytes();
let pk_bytes = VerificationKeyBytes::<SpendAuth>::from(bytes);
assert!(VerificationKey::<SpendAuth>::try_from(pk_bytes).is_ok());
let pk_bytes = VerificationKeyBytes::<sapling::SpendAuth>::from(bytes);
assert!(VerificationKey::<sapling::SpendAuth>::try_from(pk_bytes).is_ok());
}
#[test]
@ -19,6 +19,6 @@ fn smallorder_publickey_passes() {
let order4 = AffinePoint::from_raw_unchecked(Fq::one(), Fq::zero());
assert_eq!(<bool>::from(order4.is_small_order()), true);
let bytes = order4.to_bytes();
let pk_bytes = VerificationKeyBytes::<SpendAuth>::from(bytes);
assert!(VerificationKey::<SpendAuth>::try_from(pk_bytes).is_ok());
let pk_bytes = VerificationKeyBytes::<sapling::SpendAuth>::from(bytes);
assert!(VerificationKey::<sapling::SpendAuth>::try_from(pk_bytes).is_ok());
}