Change the GeneratorsChain to use SHAKE256

Author: hdevalence

Cargo.toml

@@ -14,7 +14,8 @@ description = "A pure-Rust implementation of Bulletproofs using Ristretto"
 [dependencies]
 curve25519-dalek = { version = "0.19", features = ["serde"] }
 subtle = "0.7"
-sha2 = "^0.7"
+sha3 = "0.7"
+digest = "0.7"
 rand = "0.5.0-pre.2"
 byteorder = "1.2.1"
 serde = "1"

src/generators.rs

@@ -4,27 +4,29 @@
 #![allow(non_snake_case)]
 #![deny(missing_docs)]
 
-// XXX we should use Sha3 everywhere
-use sha2::{Digest, Sha512};
-
 use curve25519_dalek::ristretto::RistrettoPoint;
 use curve25519_dalek::scalar::Scalar;
 use curve25519_dalek::traits::MultiscalarMul;
 
+use digest::{ExtendableOutput, Input, XofReader};
+use sha3::{Sha3XofReader, Shake256};
+
 /// The `GeneratorsChain` creates an arbitrary-long sequence of orthogonal generators.
 /// The sequence can be deterministically produced starting with an arbitrary point.
 struct GeneratorsChain {
-    next_point: RistrettoPoint,
+    reader: Sha3XofReader,
 }
 
 impl GeneratorsChain {
     /// Creates a chain of generators, determined by the hash of `label`.
     fn new(label: &[u8]) -> Self {
-        let mut hash = Sha512::default();
-        hash.input(b"GeneratorsChainInit");
-        hash.input(label);
-        let next_point = RistrettoPoint::from_hash(hash);
-        GeneratorsChain { next_point }
+        let mut shake = Shake256::default();
+        shake.process(b"GeneratorsChain");
+        shake.process(label);
+
+        GeneratorsChain {
+            reader: shake.xof_result(),
+        }
     }
 }
 
@@ -36,13 +38,16 @@ impl Default for GeneratorsChain {
 
 impl Iterator for GeneratorsChain {
     type Item = RistrettoPoint;
+
     fn next(&mut self) -> Option<Self::Item> {
-        let current_point = self.next_point;
-        let mut hash = Sha512::default();
-        hash.input(b"GeneratorsChainNext");
-        hash.input(current_point.compress().as_bytes());
-        self.next_point = RistrettoPoint::from_hash(hash);
-        Some(current_point)
+        let mut uniform_bytes = [0u8; 64];
+        self.reader.read(&mut uniform_bytes);
+
+        Some(RistrettoPoint::from_uniform_bytes(&uniform_bytes))
+    }
+
+    fn size_hint(&self) -> (usize, Option<usize>) {
+        (usize::max_value(), None)
     }
 }
 

src/inner_product_proof.rs

@@ -326,7 +326,7 @@ mod tests {
     use super::*;
 
     use rand::OsRng;
-    use sha2::Sha512;
+    use sha3::Sha3_512;
     use util;
 
     fn test_helper_create(n: usize) {
@@ -338,7 +338,7 @@ mod tests {
         let H = gens.share(0).H.to_vec();
 
         // Q would be determined upstream in the protocol, so we pick a random one.
-        let Q = RistrettoPoint::hash_from_bytes::<Sha512>(b"test point");
+        let Q = RistrettoPoint::hash_from_bytes::<Sha3_512>(b"test point");
 
         // a and b are the vectors for which we want to prove c = <a,b>
         let a: Vec<_> = (0..n).map(|_| Scalar::random(&mut rng)).collect();

src/lib.rs

@@ -11,10 +11,11 @@
 extern crate byteorder;
 extern crate core;
 extern crate curve25519_dalek;
+extern crate digest;
 #[macro_use]
 extern crate failure;
 extern crate rand;
-extern crate sha2;
+extern crate sha3;
 extern crate subtle;
 extern crate tiny_keccak;
 #[macro_use]