* expose dkg module
* fix dkg compiling issues
* incorporate frost repo fixes; add into_positive_y() for RedPallas
* don't use all features in MSRV test
* remove unneeded frost-rerandomized import in dev-dependencies
* bump frost-rerandomized rev
* update to frost-rerandomized 0.7.0
* commit lockfile; update CI test to match
* Make the NAF function generic
* Use the `jubjub` prefix for Jubjub types in tests
* Add tests for the NAF for Jubjub & Pallas scalars
* Use Rust's TryInto for [u8; 32]
Co-authored-by: Conrado Gouvea <conradoplg@gmail.com>
* Simplify the scalar conversion
* Revert "Simplify the scalar conversion"
This reverts commit f50ff9dd8a.
* Revert "Use Rust's TryInto for [u8; 32]"
This reverts commit 282c3b16ac.
---------
Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
Co-authored-by: Conrado Gouvea <conradoplg@gmail.com>
* Move Pallas tests to their own file
* Add tests for multiplication on Pallas
* Add tests for multiplication on Jubjub
* Use `assert_eq` instead of `assert`
* Apply suggestions from code review
Co-authored-by: Conrado Gouvea <conradoplg@gmail.com>
* Refactor Pallas tests
* Refactor Jubjub tests
* Use `product` instead of `res`
---------
Co-authored-by: Conrado Gouvea <conradoplg@gmail.com>
* clippy fixes; remove old FROST code
* add RedPallas ciphersuite and FROST support
* organized code
* simplified version
* remove randomized_frost; point to frost-randomized crate
* move rerandomized test to frost-rerandomized; clean up dependencies; add 'frost' feature
* remove stale comment
* add Jubjub support
* add torsion and identity checks where needed; tests
* Apply suggestions from code review
Co-authored-by: Marek <mail@marek.onl>
* Apply suggestions from code review
Co-authored-by: Marek <mail@marek.onl>
* change Jubjub serialize() to use to_bytes(); add comment to Pallas serialize()
* update frost-rerandomized version
* unpin nightly Rust in coverage.yaml
* fix conditional hex dependency
* move FROST code inside frost folder
* Apply suggestions from code review
Co-authored-by: Marek <mail@marek.onl>
---------
Co-authored-by: Marek <mail@marek.onl>
Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
The FieldExt and SealedScalar traits have a method with the same name,
and the latter's is implemented for pallas::Scalar as a call to the
former's implementation. However, FieldExt was not in scope. In debug
mode, Rust was calling SealedScalar's method recursively, causing a
stack overflow. However in release mode, Rust was able to find the
FieldExt method fine (and does not appear to just be optimizing out the
code, as the result is valid). To ensure this does not occur, we now
explicitly use the FieldExt method implementation.
The prior `SpendAuth` and `Binding` enums have been renamed to
`sapling::{SpendAuth, Binding}`. These might subsequently be removed
from the crate entirely (moving into a wrapping `redjubjub` crate).
The code assumes that scalar and point representations are [u8; 32],
which will be the case for all curves we instantiate RedDSA with for
Zcash.
* start messages and validation
* add missing docs to constants
* change validation to matches, fix constant doc
Co-authored-by: teor <teor@riseup.net>
* fix the build
* validate share_commitment
* add new constants and validations
* fix validation
* derive serde Serialize and Deserialize in all messages structs
* update created structs
Co-authored-by: teor <teor@riseup.net>
* fix build
* define and use a new MAX_SIGNERS constant
* change group_public type
* add some test cases
* add validation and serialization tests for SigningCommitments
* add validation and serialization test to SigningPackage
* change some fields order matching the spec
* fix field order in tests according to last updates to the spec
* implement serialize and deserialize for ParticipantId
* move serde-json to dev-dependencies section
* change to pub(crate)
* fix serialize of VerificationKey
* add assert to serialize
* add note, fix typo
* improve some code in tests
* test serialization of individual fields
* start messages and validation
* add missing docs to constants
* change validation to matches, fix constant doc
Co-authored-by: teor <teor@riseup.net>
* fix the build
* validate share_commitment
* add new constants and validations
* fix validation
* define and use a new MAX_SIGNERS constant
* change group_public type
* change some fields order matching the spec
* change message fields to new spec
* remove some non needed conversions
* use a BTreeMap to guarantee the order
* remove some calls to `clone()` by implementing `Copy`
* change message type in frost and add validate_signatureshare test
* change `share_commitment` to BTreeMap
* add `serialize_signatureshare` test
* add aggregatesignature tests
* add some test header messages utility functions
* add a setup utility
* move the general serialization checks into an utility function
* fi some typos
* add and use a `generate_share_commitment` utility
* add create_signing_commitments utility function
* improve the serialization tests
* make room for prop tests
* add arbitrary tests for serialization
* remove allow dead code from messages
* fix some imports
* make signature module public only to the crate
* simplify a bit the frost tests
* improve the generated docs
* add a `prop_filter` to Header arbitrary
* (ab)use proptest_derive
* improve validation for Message
* improve some utility functions
* change frost to serialization id conversion
* add a quick btreemap test
* change the `MsgType` to `u32`
* add no leftover bytes checks
* add a full_setup utility
* add map len checks
Co-authored-by: teor <teor@riseup.net>
* Impl DefaultIsZeros for every type that uses jubjub::Fr/Scalar
This requires Copy and Clone along with Default. If we do not want to include those, we can impl Zeroize and Drop directly.
* Hash signature message with HStar before deriving the binding factor
To avoid a collision, we should hash our input message, our 'standard' hash is HStar, which uses a domain separator already, and is the same one that generates the binding factor.
* Add a comment about why we hash the signature message before generating the binding factor
* Add comments on how we Zeroize
* Consume nonces with sign()
We want to make sure that the nonces we use when signing are Drop'd
(and thus Zeroize'd) when they go out of scope, so we must move participant_nonces into sign()
Implements FROST (Flexible Round Optimized Schnorr Threshold Signatures, https://eprint.iacr.org/2020/852) where key generation is performed by a trusted dealer.
Future work will include implementing distributed key generation and re-randomizability.
Co-authored-by: Chelsea Komlo <me@chelseakomlo.com>
Co-authored-by: Isis Lovecruft <isis@patternsinthevoid.net>
This closes a gap in the API where it was impossible to retry items in a failed
batch, because the opaque Item type could not be verified individually.