Rewrite ec abstraction

[omershlo]

No description provided.

[omershlo]

I made major changes to EC traits. currently implemented only for secp256k1. Unit tests are needed as well as implementation for curve25519.
The major milestone so far is the generic traits ECScalar and ECPoint and the EC specific implementation for Secp256k1Scalar and Secp256k1Point. Any discussion and feedback at this level are welcome

[omershlo]

I changed the elliptic curves to be features. need to find a way to make the compilation of the crates optional such that we compile only the EC we need.

[romanz]

The build seems to be failing: https://travis-ci.com/KZen-networks/cryptography-utils/jobs/139499279#L694:

$ cargo +nightly check --all
    Checking cryptography-utils v0.1.0 (file:///home/roman/Code/KZen/cryptography-utils)                                                                                                                                                                                        
error[E0432]: unresolved import `FE`
  --> src/cryptographic_primitives/proofs/dlog_zk_protocol.rs:34:5
   |
34 | use FE;
   |     ^^ no `FE` in the root

error[E0432]: unresolved import `GE`
  --> src/cryptographic_primitives/proofs/dlog_zk_protocol.rs:35:5
   |
35 | use GE;
   |     ^^ no `GE` in the root

error[E0432]: unresolved import `PK`
  --> src/cryptographic_primitives/proofs/dlog_zk_protocol.rs:36:5
   |
36 | use PK;
   |     ^^ no `PK` in the root

error[E0432]: unresolved import `SK`
  --> src/cryptographic_primitives/proofs/dlog_zk_protocol.rs:37:5
   |
37 | use SK;
   |     ^^ no `SK` in the root

[omershlo]

@romanz this is because you must choose an elliptic curve feature for the build to be successful.

[romanz]

@omershlo Thanks! It should be fixed by a9d78ef.

[romanz]

Mostly style and naming-related comments; didn't review the cryptography-related changes.

[romanz]

Please remove the commented line - or set the default explicitly.

[romanz]

Can this be written as digest.update(&value.to_vec())?

If so - please change hash_sha256.rs as well.

[omershlo]

@gbenattar ?

[omershlo]

changed it. thanks!

[romanz]

Please delete the commented code blocks (above and in the rest of the changed code).

[romanz]

secp256k1 -> curve25519

[romanz]

mul -> sub

[romanz]

Consider naming it generator() (instead of new()).

[omershlo]

done. good idea!!

[romanz]

Consider removing the line (as "curve25519" doesn't export an EC type).

[mortendahl]

some comments, but didn't look too closely at the crypto parts -- is that a review priority as well? anything that's worth focusing specifically on?

[mortendahl]

won't this fail when not using feature curvesecp256k1? maybe find a way to use conditional compilation to leave this code out in those cases

[omershlo]

yes, the reason was that not every elliptic curve that is used for signing can be used for Pedersen commitment as well so when new elliptic curves are introduced we would add pedersen commitment based on them. But your point is solid. @gbenattar @romanz do you know of a way to support Pederesen with fixed elliptic curve while condition compilation on all other elliptic curve related stuff? this might come in useful in the future?

[mortendahl]

out of curiosity, what determines whether a curve can be used for commitment or not?

for conditional compilation you can simply annotate the impl with #[cfg(feature = "...")]

[omershlo]

If the curve is prime order group or not. For example curve25519 is not.

[omershlo]

I sprayed #[cfg(feature = "curvesecp256k1")] all over the place. It appears that we are using pedersen commitments in many places. @romanz @mortendahl @gbenattar maybe one of you have an idea on how to do this exclusion more elegant or at least how to minimize the times I use #[cfg(feature = "curvesecp256k1")]?

[mortendahl]

create_commitment_with_user_defined_randomness and create_commitment share almost the same code; let one use the other?

[omershlo]

done. good catch.

[mortendahl]

both methods again share almost the same code; let one use the other?

[omershlo]

done

[mortendahl]

couldn't get it to compile with this curve (blocked on serde errors)

[omershlo]

@gbenattar probably some backward compatibility issue from your work on serialization?

[gbenattar]

The default one? Just to make sure, do a cargo update and also do a rustup update, they changed nightly recently.

[omershlo]

@gbenattar not the default one, the build is failing for curve25519 because serde is not implemented for this.

[mortendahl]

I think the extern crate ring is in the wrong place if super is needed here

[omershlo]

completely right, moved it to lib.rs

[mortendahl]

some methods perhaps seem a bit more explicit in naming than typical rust code, eg from_big_int instead of simply from, get_element instead of element, and get_x_coor_as_big_int instead of x_coor

[omershlo]

I changed the interface. my only problem is with get_element - I need to differentiate it from set_element so I cannot just change it to element

[mortendahl]

no need to clone

[omershlo]

great!

[mortendahl]

conditional compilation to only be included when this curve is used?

[mortendahl]

there is something slightly unpleasant about scalar_mul taking mut self while other operations don't. perhaps a Borrow could work and still get the same reuse optimisation when needed? in any case the extra clones could be move into that.

[omershlo]

I'm not sure I follow. scalar_mul takes self with the intention to consume self.
This was done to limit the interface. Is this a problem?

[mortendahl]

not a problem, only saying that the clone could be hidden if desired

[omershlo]

can you give an example please?

[mortendahl]

"hidden" as in moved into the function by letting the function take eg a Cow instead. does that make sense?

[mortendahl]

I'm wondering if the interface could be changed to avoid this picking of fields, which might cause some confusion or worse down the line. What if eg verify_commitments_and_dlog_proof simply took party_one_first_message and party_one_second_message as arguments?