-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: ed25519 digital signature scheme #179
base: main
Are you sure you want to change the base?
Conversation
I think this is ready for review! |
I don't mind having either dependency -- especially dev-deps. At some point it would be kinda cool to make our own bigint implementation. I honestly don't know the intricacies of how the popular libraries do it (i just imagine you'd do some generic ripple carry or something). Let me review! |
I think we need semver CI running on PRs into main... I can add this elsewhere and rebase here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is looking great! I left comments throughout.
Mostly, I think my concern here is that this specific implementation moves further away from "first principles" than I'd like it to. Perhaps we can work this a bit to use more of ronk's native types we have (e.g., our SHA impl, PrimeField, and Curves). There would be a good amount of work to make that possible I'd imagine. I roughly see what it is, but it would be good to work towards this.
So some options are to:
- See how much we can reduce external dependency usage now with minimal pain
- Make issues for what is needed so that we move towards only using our internal types in the future.
/// Find the square root of an element of the `BaseField` | ||
/// It uses the algorithm given in Section 5.1.1 of [RFC8032] utilizing the special case of | ||
/// `P = 5 (mod 8)`. To read more, see: (https://en.wikipedia.org/wiki/Quadratic_residue#Prime_or_prime_power_modulus) | ||
pub fn sqrt(x: &BaseField) -> Option<BaseField> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't we already have a finite field sqrt
we can use?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you mean the one for PrimeField
, then I am not sure how, because this one is specialized for BaseField
that is a type specialization of ConstMontyForm
(from crypto_bigint
) type
Thanks for the review! @Autoparallel
I agree with you completely! That was my concern as well. There are few things I would to point out. Secondly, the issue with ronkation's curve implementation is that Edwards curve is a different form of elliptic curve (different from the Weierstrass from that is used in ronkathon), so RFC mentions different parameters. But I think the main difference is point representation that we have used. I have had used extended homogeneous coordinates (which is the also recommended as per the RFC) because using affine coordinates was at least an order of magnitude slower. So they use different point addition formula. Lastly, with SHA, we had SHA256 not SHA512. So I had to add a dependency. But, like you said, it will be better to implement sha512. (maybe not a lot of work, i guess) |
Added a sha512 implementation. I have reused most of the code from |
I think we can start with adding support for large FiniteField(and friends) which uses Montgomery reduction or Barrett reduction. I will open an issue in this regard. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome work sir. I have few questions that I mentioned on the respective files. I think we can generalise and reduce code dedeuplication.
Adding Edwards curve support will be hugee (if not, we should create an issue)
@@ -0,0 +1,174 @@ | |||
//! Edwards-curve Digital Signature Algorithm (EdDSA) based on the RFC 8032. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
want to create a trait for DSA
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will leave this to you, because I am not sure how it will look like considering the ECDSA code.
Hope that is not an issue!
Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is really nice, but I'd like us to add support for Edwards curve in the curve
module. will leave the decision for adding the support for this in current PR to you (i support adding it), but we should definitely create an issue, and remove this file from dsa
module entirely.
src/hashes/sha512.rs
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like we can combine sha256 and sha512 using const generics easily? most of the logic is duplicated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The main issue is the different definition of sigma functions for sha512 and sha256, also the different paddings
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am a beginner in rust, so if you want you can go ahead and do that!
After a bit of thought, there are two phases to going dependency free, first add bigint library and then refactor exisiting code. |
Adding Edwards curve would maybe not be that bad? Though it would be monumental for this PR to contain it. It's a different way of writing the equation (actually a slightly different equation at that) and homogeneous coordinates are just a different coordinate system. It would be possible to make our curve trait generic over coordinate system and type. E.g., have something like: EllipticCurve<Edwards, Homogeneous>
EllipticCurve<Weierstrass, Standard> The main differences come down to how you implement the group operation. As for the PrimeField<BigInt, 21888242871839275222246405745257275088548364400416034343698204186575808495617> or something. In this case, we could implement the optimizations on the Also, nice work with the SHA-512. That was a good call and I appreciate you doing it. I think at this point moving forward to merge this and create issues to come back and solve these propositions would be my advice! |
At some point, we have to implement our own stuff and get rid of the deps, so better now than later. Another motivation for implementing it here is that I found an excellent material on it in the Handbook of Applied Cryptography (See Chapter 14). |
@mrdaybird I'd be very curious to review. What's your current plan for these implementations? |
At the moment,
(perhaps is Then we provide macros to create struct that implements
This creates a struct name |
while i like the direction you're going, i think it will be overkill for this PR to have a BigInt implementation. We can discuss this in a separate issue. what's your view on choosing @Autoparallel would like your take as well. |
I also think that this PR becomes unwieldy to have this much in it. Would also rather have it be another contribution! I also am curious about just using |
No problem! About this PR, I have resolved/fixed all review comments as far as I understand. Thanks! |
If you had asked me this question before I created my own bigint + field implementation, I have preferred it. But, now I would say that it will be better to have our implementation keeping in line with ronkathon's goal of "...everything from first principles."
After a cursory look at other bigint library(1, 2), I believe they do not provide some sort of modular reduction/multiplication support. If we want to use it, we have to write our own modular reduction/multiplication. But I am not sure if it will be better than having our own bigint impl. |
closes #78
keygen
,sign
,verify
for ed25519 schemeNote: