Merge pull request #128 from dalek-cryptography/rework-generators

Rework generators

Author: hdevalence

Cargo.toml

@@ -14,7 +14,8 @@ description = "A pure-Rust implementation of Bulletproofs using Ristretto"
 [dependencies]
 curve25519-dalek = { version = "0.19", features = ["serde"] }
 subtle = "0.7"
-sha2 = "^0.7"
+sha3 = "0.7"
+digest = "0.7"
 rand = "0.5.0-pre.2"
 byteorder = "1.2.1"
 serde = "1"

benches/bulletproofs.rs

@@ -87,7 +87,7 @@ fn verify_aggregated_rangeproof_helper(n: usize, c: &mut Criterion) {
             ).unwrap();
 
             // XXX would be nice to have some convenience API for this
-            let pg = &generators.pedersen_generators;
+            let pg = &generators.pedersen_gens;
             let value_commitments: Vec<_> = values
                 .iter()
                 .zip(blindings.iter())

src/generators.rs

@@ -4,27 +4,29 @@
 #![allow(non_snake_case)]
 #![deny(missing_docs)]
 
-// XXX we should use Sha3 everywhere
-use sha2::{Digest, Sha512};
-
 use curve25519_dalek::ristretto::RistrettoPoint;
 use curve25519_dalek::scalar::Scalar;
 use curve25519_dalek::traits::MultiscalarMul;
 
+use digest::{ExtendableOutput, Input, XofReader};
+use sha3::{Sha3XofReader, Shake256};
+
 /// The `GeneratorsChain` creates an arbitrary-long sequence of orthogonal generators.
 /// The sequence can be deterministically produced starting with an arbitrary point.
 struct GeneratorsChain {
-    next_point: RistrettoPoint,
+    reader: Sha3XofReader,
 }
 
 impl GeneratorsChain {
     /// Creates a chain of generators, determined by the hash of `label`.
     fn new(label: &[u8]) -> Self {
-        let mut hash = Sha512::default();
-        hash.input(b"GeneratorsChainInit");
-        hash.input(label);
-        let next_point = RistrettoPoint::from_hash(hash);
-        GeneratorsChain { next_point }
+        let mut shake = Shake256::default();
+        shake.process(b"GeneratorsChain");
+        shake.process(label);
+
+        GeneratorsChain {
+            reader: shake.xof_result(),
+        }
     }
 }
 
@@ -36,13 +38,16 @@ impl Default for GeneratorsChain {
 
 impl Iterator for GeneratorsChain {
     type Item = RistrettoPoint;
+
     fn next(&mut self) -> Option<Self::Item> {
-        let current_point = self.next_point;
-        let mut hash = Sha512::default();
-        hash.input(b"GeneratorsChainNext");
-        hash.input(current_point.compress().as_bytes());
-        self.next_point = RistrettoPoint::from_hash(hash);
-        Some(current_point)
+        let mut uniform_bytes = [0u8; 64];
+        self.reader.read(&mut uniform_bytes);
+
+        Some(RistrettoPoint::from_uniform_bytes(&uniform_bytes))
+    }
+
+    fn size_hint(&self) -> (usize, Option<usize>) {
+        (usize::max_value(), None)
     }
 }
 
@@ -55,7 +60,7 @@ pub struct Generators {
     /// Number of values or parties
     pub m: usize,
     /// Bases for Pedersen commitments
-    pub pedersen_generators: PedersenGenerators,
+    pub pedersen_gens: PedersenGenerators,
     /// Per-bit generators for the bit values
     pub G: Vec<RistrettoPoint>,
     /// Per-bit generators for the bit blinding factors
@@ -70,7 +75,7 @@ pub struct Generators {
 #[derive(Copy, Clone)]
 pub struct GeneratorsView<'a> {
     /// Bases for Pedersen commitments
-    pub pedersen_generators: &'a PedersenGenerators,
+    pub pedersen_gens: &'a PedersenGenerators,
     /// Per-bit generators for the bit values
     pub G: &'a [RistrettoPoint],
     /// Per-bit generators for the bit blinding factors
@@ -109,16 +114,31 @@ impl Default for PedersenGenerators {
 
 impl Generators {
     /// Creates generators for `m` range proofs of `n` bits each.
-    pub fn new(pedersen_generators: PedersenGenerators, n: usize, m: usize) -> Self {
-        let G = GeneratorsChain::new(pedersen_generators.B.compress().as_bytes())
-            .take(n * m)
+    pub fn new(pedersen_gens: PedersenGenerators, n: usize, m: usize) -> Self {
+        use byteorder::{ByteOrder, LittleEndian};
+
+        let G = (0..m)
+            .flat_map(|i| {
+                let party_index = i as u32;
+                let mut label = [b'G', 0, 0, 0, 0];
+                LittleEndian::write_u32(&mut label[1..5], party_index);
+
+                GeneratorsChain::new(&label).take(n)
+            })
             .collect();
-        let H = GeneratorsChain::new(pedersen_generators.B_blinding.compress().as_bytes())
-            .take(n * m)
+
+        let H = (0..m)
+            .flat_map(|i| {
+                let party_index = i as u32;
+                let mut label = [b'H', 0, 0, 0, 0];
+                LittleEndian::write_u32(&mut label[1..5], party_index);
+
+                GeneratorsChain::new(&label).take(n)
+            })
             .collect();
 
         Generators {
-            pedersen_generators,
+            pedersen_gens,
             n,
             m,
             G,
@@ -132,7 +152,7 @@ impl Generators {
         let lower = self.n * j;
         let upper = self.n * (j + 1);
         GeneratorsView {
-            pedersen_generators: &self.pedersen_generators,
+            pedersen_gens: &self.pedersen_gens,
             G: &self.G[lower..upper],
             H: &self.H[lower..upper],
         }

src/inner_product_proof.rs

@@ -326,7 +326,7 @@ mod tests {
     use super::*;
 
     use rand::OsRng;
-    use sha2::Sha512;
+    use sha3::Sha3_512;
     use util;
 
     fn test_helper_create(n: usize) {
@@ -338,7 +338,7 @@ mod tests {
         let H = gens.share(0).H.to_vec();
 
         // Q would be determined upstream in the protocol, so we pick a random one.
-        let Q = RistrettoPoint::hash_from_bytes::<Sha512>(b"test point");
+        let Q = RistrettoPoint::hash_from_bytes::<Sha3_512>(b"test point");
 
         // a and b are the vectors for which we want to prove c = <a,b>
         let a: Vec<_> = (0..n).map(|_| Scalar::random(&mut rng)).collect();

src/lib.rs

@@ -11,10 +11,11 @@
 extern crate byteorder;
 extern crate core;
 extern crate curve25519_dalek;
+extern crate digest;
 #[macro_use]
 extern crate failure;
 extern crate rand;
-extern crate sha2;
+extern crate sha3;
 extern crate subtle;
 extern crate tiny_keccak;
 #[macro_use]

src/range_proof/dealer.rs

@@ -211,7 +211,7 @@ impl<'a, 'b> DealerAwaitingProofShares<'a, 'b> {
 
         // Get a challenge value to combine statements for the IPP
         let w = self.transcript.challenge_scalar();
-        let Q = w * self.gens.pedersen_generators.B;
+        let Q = w * self.gens.pedersen_gens.B;
 
         let l_vec: Vec<Scalar> = proof_shares
             .iter()

src/range_proof/messages.rs

@@ -97,7 +97,7 @@ impl ProofShare {
                 .chain(h),
             iter::once(&value_commitment.A_j)
                 .chain(iter::once(&value_commitment.S_j))
-                .chain(iter::once(&gens.pedersen_generators.B_blinding))
+                .chain(iter::once(&gens.pedersen_gens.B_blinding))
                 .chain(gens.share(j).G.iter())
                 .chain(gens.share(j).H.iter()),
         );
@@ -117,8 +117,8 @@ impl ProofShare {
             iter::once(&value_commitment.V_j)
                 .chain(iter::once(&poly_commitment.T_1_j))
                 .chain(iter::once(&poly_commitment.T_2_j))
-                .chain(iter::once(&gens.pedersen_generators.B))
-                .chain(iter::once(&gens.pedersen_generators.B_blinding)),
+                .chain(iter::once(&gens.pedersen_gens.B))
+                .chain(iter::once(&gens.pedersen_gens.B_blinding)),
         );
 
         if t_check.is_identity() {

src/range_proof/mod.rs

@@ -219,8 +219,8 @@ impl RangeProof {
                 .chain(iter::once(self.T_2.decompress()))
                 .chain(self.ipp_proof.L_vec.iter().map(|L| L.decompress()))
                 .chain(self.ipp_proof.R_vec.iter().map(|R| R.decompress()))
-                .chain(iter::once(Some(gens.pedersen_generators.B_blinding)))
-                .chain(iter::once(Some(gens.pedersen_generators.B)))
+                .chain(iter::once(Some(gens.pedersen_gens.B_blinding)))
+                .chain(iter::once(Some(gens.pedersen_gens.B)))
                 .chain(gens.G.iter().map(|&x| Some(x)))
                 .chain(gens.H.iter().map(|&x| Some(x)))
                 .chain(value_commitments.iter().map(|&x| Some(x))),
@@ -422,7 +422,7 @@ mod tests {
             // 2. Serialize
             proof_bytes = bincode::serialize(&proof).unwrap();
 
-            let pg = &generators.pedersen_generators;
+            let pg = &generators.pedersen_gens;
 
             // XXX would be nice to have some convenience API for this
             value_commitments = values

src/range_proof/party.rs

@@ -30,9 +30,7 @@ impl Party {
             return Err(MPCError::InvalidBitsize);
         }
 
-        let V = generators
-            .pedersen_generators
-            .commit(Scalar::from(v), v_blinding);
+        let V = generators.pedersen_gens.commit(Scalar::from(v), v_blinding);
 
         Ok(PartyAwaitingPosition {
             generators,
@@ -66,7 +64,7 @@ impl<'a> PartyAwaitingPosition<'a> {
 
         let a_blinding = Scalar::random(rng);
         // Compute A = <a_L, G> + <a_R, H> + a_blinding * B_blinding
-        let mut A = gen_share.pedersen_generators.B_blinding * a_blinding;
+        let mut A = gen_share.pedersen_gens.B_blinding * a_blinding;
 
         use subtle::{Choice, ConditionallyAssignable};
         for i in 0..self.n {
@@ -85,7 +83,7 @@ impl<'a> PartyAwaitingPosition<'a> {
         // Compute S = <s_L, G> + <s_R, H> + s_blinding * B_blinding
         let S = RistrettoPoint::multiscalar_mul(
             iter::once(&s_blinding).chain(s_L.iter()).chain(s_R.iter()),
-            iter::once(&gen_share.pedersen_generators.B_blinding)
+            iter::once(&gen_share.pedersen_gens.B_blinding)
                 .chain(gen_share.G.iter())
                 .chain(gen_share.H.iter()),
         );
@@ -164,12 +162,12 @@ impl<'a> PartyAwaitingValueChallenge<'a> {
         let T_1 = self
             .generators
             .share(self.j)
-            .pedersen_generators
+            .pedersen_gens
             .commit(t_poly.1, t_1_blinding);
         let T_2 = self
             .generators
             .share(self.j)
-            .pedersen_generators
+            .pedersen_gens
             .commit(t_poly.2, t_2_blinding);
 
         let poly_commitment = PolyCommitment {