* Impl DefaultIsZeros for every type that uses jubjub::Fr/Scalar
This requires Copy and Clone along with Default. If we do not want to include those, we can impl Zeroize and Drop directly.
* Hash signature message with HStar before deriving the binding factor
To avoid a collision, we should hash our input message, our 'standard' hash is HStar, which uses a domain separator already, and is the same one that generates the binding factor.
* Add a comment about why we hash the signature message before generating the binding factor
* Add comments on how we Zeroize
* Consume nonces with sign()
We want to make sure that the nonces we use when signing are Drop'd
(and thus Zeroize'd) when they go out of scope, so we must move participant_nonces into sign()
Implements FROST (Flexible Round Optimized Schnorr Threshold Signatures, https://eprint.iacr.org/2020/852) where key generation is performed by a trusted dealer.
Future work will include implementing distributed key generation and re-randomizability.
Co-authored-by: Chelsea Komlo <me@chelseakomlo.com>
Co-authored-by: Isis Lovecruft <isis@patternsinthevoid.net>
This closes a gap in the API where it was impossible to retry items in a failed
batch, because the opaque Item type could not be verified individually.
* Pulls in some traits and methods from curve25519-dalek around the
vartime multiscalar multiplication.
* Move scalar mul things we want to upstream to jubjub to their own crate
* Make Verify agnostic to the SigType
Co-authored-by: Henry de Valence <hdevalence@hdevalence.ca>
Co-authored-by: Jane Lusby <jlusby42@gmail.com>
When Rust derives Copy, Clone, Eq, PartialEq, etc. on a type with
`PhantomData<T>`, it adds a `T: Clone` etc. bound, regardless of whether `T` is
only ever used inside of the `PhantomData`. A better fix would be to fix the
derived bounds themselves, but in the meantime this works, even if it's
slightly ugly.
This ran into problems with Clone/Copy bounds -- it seems like the
derived impls require that the phantom type T also be Clone / Copy /
Debug for the type to be. This commit does a hacky fix that makes it
work for now, but it should be cleaned up later.
The motivation is as follows. The sealed trait pattern allows creating
a type-level equivalent of an enum: the trait corresponds to the enum
type and its implementors correspond to the enum variants; the `Sealed`
restriction ensures that there is a fixed set of enum variants.
In this picture, adding methods to the public trait corresponds to a
public method on an enum, while adding methods to the private trait
corresponds to a private method on an enum. This means that we can add
a method to get the basepoint (whose possible choices are enumerated by
SigType) and avoid having to do specialized impls.
This means that using a BindingSig as a SpendAuthSig or vice versa becomes a
compile error. Internally, we can share implementations, but having type
parameters and specialized impls means that the correct parameters can be
substituted in to whatever inner functions exist.