Update integer crates to pre-release v0.6

synedrion/Cargo.toml

@@ -10,34 +10,38 @@ readme = "README.md"
 categories = ["cryptography", "no-std"]
 
 [dependencies]
-signature = { version = "2", default-features = false, features = ["alloc"] }
-k256 = { version = "0.13.2", default-features = false, features = ["ecdsa", "arithmetic"] }
-rand_core = { version = "0.6.4", default-features = false }
-sha2 = { version = "0.10", default-features = false }
-sha3 = { version = "0.10", default-features = false }
-digest = { version = "0.10", default-features = false, features = ["alloc"]}
+signature = { version = "2.3.0-pre.4", default-features = false, features = ["alloc"] }
+k256 = {version = "0.14.0-pre.2", default-features = false, features = ["ecdsa", "arithmetic"]}
+rand_core = { version = "0.6.4", default-features = false, features = ["getrandom"] }
+sha2 = { version = "0.11.0-pre.4", default-features = false }
+sha3 = { version = "0.11.0-pre.4", default-features = false }
+digest = { version = "0.11.0-pre.9", default-features = false, features = ["alloc"]}
 hex = { version = "0.4", default-features = false, features = ["alloc"] }
-base64 = { version = "0.21", default-features = false, features = ["alloc"] }
-hashing-serializer = { version = "0.1", default-features = false }
+base64 = { version = "0.22.1", default-features = false, features = ["alloc"] }
+hashing-serializer = { version = "0.2.0-pre.0", default-features = false }
 secrecy = { version = "0.9.0-pre.0", default-features = false, features = ["serde"] }
 zeroize = { version = "1.8", default-features = false, features = ["alloc", "zeroize_derive"] }
-bip32 = { version = "0.5.2", default-features = false, features = ["alloc", "secp256k1"] }
+bip32 = { version = "0.6.0-pre.0", default-features = false, features = ["alloc", "secp256k1", "k256"] }
 
 # Note: `alloc` is needed for `crytpto-bigint`'s dependency `serdect` to be able
 # to serialize Uints in human-readable formats.
-crypto-bigint = { version = "0.5.3", default-features = false, features = ["serde", "alloc"] }
-crypto-primes = { version = "0.5", default-features = false }
+crypto-bigint = { version = "0.6.0-rc.3", features = ["serde", "alloc", "rand_core"] }
+crypto-primes = "0.6.0-pre.0"
 
 serde = { version = "1", default-features = false, features = ["derive"] }
 bincode = { version = "2.0.0-rc.3", default-features = false, features = ["serde", "alloc"] }
 displaydoc = { version = "0.2", default-features = false}
 
+# Note: needed for the `rand_core` feature of `crypto-bigint`.
+[target.wasm32-unknown-unknown.dependencies]
+getrandom = { version = "0.2", features = ["js"]}
+
 [dev-dependencies]
 tokio = { version = "1", features = ["rt", "sync", "time", "macros"] }
 rand = "0.8"
+rand_chacha = "0.3"
 criterion = "0.5"
-hex = "0.4"
-k256 = { version = "0.13.2", default-features = false, features = ["ecdsa", "serde", "pem"] }
+k256 = {version = "0.14.0-pre.2", default-features = false, features = ["ecdsa", "arithmetic", "pem", "serde"]}
 impls = "1"
 
 [features]

synedrion/src/cggmp21/params.rs

@@ -101,7 +101,7 @@ pub trait SchemeParams: Debug + Clone + Send + PartialEq + Eq + Send + Sync + 's
     /// Converts a curve scalar to the associated integer type.
     fn uint_from_scalar(value: &Scalar) -> <Self::Paillier as PaillierParams>::Uint {
         let scalar_bytes = value.to_bytes();
-        let mut repr = <Self::Paillier as PaillierParams>::Uint::ZERO.to_be_bytes();
+        let mut repr = <Self::Paillier as PaillierParams>::Uint::zero().to_be_bytes();
 
         let uint_len = repr.as_ref().len();
         let scalar_len = scalar_bytes.len();
@@ -113,8 +113,8 @@ pub trait SchemeParams: Debug + Clone + Send + PartialEq + Eq + Send + Sync + 's
 
     /// Converts a curve scalar to the associated integer type, wrapped in `Bounded`.
     fn bounded_from_scalar(value: &Scalar) -> Bounded<<Self::Paillier as PaillierParams>::Uint> {
-        const ORDER_BITS: usize = ORDER.bits_vartime();
-        Bounded::new(Self::uint_from_scalar(value), ORDER_BITS as u32).unwrap()
+        const ORDER_BITS: u32 = ORDER.bits_vartime();
+        Bounded::new(Self::uint_from_scalar(value), ORDER_BITS).unwrap()
     }
 
     /// Converts a curve scalar to the associated integer type, wrapped in `Signed`.
@@ -187,9 +187,9 @@ impl SchemeParams for TestParams {
     const EPS_BOUND: usize = 320;
     type Paillier = PaillierTest;
     const CURVE_ORDER: NonZero<<Self::Paillier as PaillierParams>::Uint> =
-        NonZero::<<Self::Paillier as PaillierParams>::Uint>::const_new(upcast_uint(ORDER)).0;
+        upcast_uint(ORDER).to_nz().expect("Correct by construction");
     const CURVE_ORDER_WIDE: NonZero<<Self::Paillier as PaillierParams>::WideUint> =
-        NonZero::<<Self::Paillier as PaillierParams>::WideUint>::const_new(upcast_uint(ORDER)).0;
+        upcast_uint(ORDER).to_nz().expect("Correct by construction");
 }
 
 /// Production strength parameters.
@@ -203,7 +203,7 @@ impl SchemeParams for ProductionParams {
     const EPS_BOUND: usize = Self::L_BOUND * 2;
     type Paillier = PaillierProduction;
     const CURVE_ORDER: NonZero<<Self::Paillier as PaillierParams>::Uint> =
-        NonZero::<<Self::Paillier as PaillierParams>::Uint>::const_new(upcast_uint(ORDER)).0;
+        upcast_uint(ORDER).to_nz().expect("Correct by construction");
     const CURVE_ORDER_WIDE: NonZero<<Self::Paillier as PaillierParams>::WideUint> =
-        NonZero::<<Self::Paillier as PaillierParams>::WideUint>::const_new(upcast_uint(ORDER)).0;
+        upcast_uint(ORDER).to_nz().expect("Correct by construction");
 }

synedrion/src/cggmp21/protocols/aux_gen.rs

@@ -26,7 +26,7 @@ use crate::rounds::{
 };
 use crate::tools::bitvec::BitVec;
 use crate::tools::hashing::{Chain, FofHasher, HashOutput};
-use crate::uint::UintLike;
+use crypto_bigint::BitOps;
 
 /// Possible results of the AuxGen protocol.
 #[derive(Debug, Clone, Copy)]
@@ -305,7 +305,7 @@ impl<P: SchemeParams, I: Debug + Clone + Ord + Serialize> Round<I> for Round2<P,
 
         let paillier_pk = broadcast_msg.data.paillier_pk.to_precomputed();
 
-        if paillier_pk.modulus().bits_vartime() < 8 * P::SECURITY_PARAMETER {
+        if (paillier_pk.modulus().bits_vartime() as usize) < 8 * P::SECURITY_PARAMETER {
             return Err(AuxGenError(AuxGenErrorEnum::Round2(
                 "Paillier modulus is too small".into(),
             )));

synedrion/src/cggmp21/protocols/key_refresh.rs

@@ -28,7 +28,7 @@ use crate::rounds::{
 };
 use crate::tools::bitvec::BitVec;
 use crate::tools::hashing::{Chain, FofHasher, HashOutput};
-use crate::uint::UintLike;
+use crypto_bigint::BitOps;
 
 /// Possible results of the KeyRefresh protocol.
 #[derive(Debug)]
@@ -59,10 +59,13 @@ enum KeyRefreshErrorEnum<P: SchemeParams> {
         mu: Randomizer<P::Paillier>,
     },
 }
-
 #[derive(Debug, Clone, Serialize, Deserialize)]
-#[serde(bound(serialize = "PrmProof<P>: Serialize"))]
-#[serde(bound(deserialize = "PrmProof<P>: for<'x> Deserialize<'x>"))]
+#[serde(bound(serialize = "
+        PrmProof<P>: Serialize,
+    "))]
+#[serde(bound(deserialize = "
+        PrmProof<P>: for<'x> Deserialize<'x>,
+    "))]
 pub struct PublicData1<P: SchemeParams> {
     cap_x_to_send: Vec<Point>, // $X_i^j$ where $i$ is this party's index
     cap_a_to_send: Vec<SchCommitment>, // $A_i^j$ where $i$ is this party's index
@@ -352,7 +355,7 @@ impl<P: SchemeParams, I: Debug + Clone + Ord + Serialize> Round<I> for Round2<P,
 
         let paillier_pk = broadcast_msg.data.paillier_pk.to_precomputed();
 
-        if paillier_pk.modulus().bits_vartime() < 8 * P::SECURITY_PARAMETER {
+        if (paillier_pk.modulus().bits_vartime() as usize) < 8 * P::SECURITY_PARAMETER {
             return Err(KeyRefreshError(KeyRefreshErrorEnum::Round2(
                 "Paillier modulus is too small".into(),
             )));

synedrion/src/cggmp21/sigma/fac.rs

@@ -57,7 +57,7 @@ impl<P: SchemeParams> FacProof<P> {
         // Note that it has to be matched when we check the range of
         // `z1` and `z2` during verification.
         let sqrt_cap_n = Bounded::new(
-            <P::Paillier as PaillierParams>::Uint::ONE
+            <P::Paillier as PaillierParams>::Uint::one()
                 << (<P::Paillier as PaillierParams>::PRIME_BITS - 2),
             <P::Paillier as PaillierParams>::PRIME_BITS as u32,
         )

synedrion/src/cggmp21/sigma/mod_.rs

@@ -7,8 +7,9 @@ use serde::{Deserialize, Serialize};
 
 use super::super::SchemeParams;
 use crate::paillier::{PaillierParams, PublicKeyPaillierPrecomputed, SecretKeyPaillierPrecomputed};
-use crate::tools::hashing::{Chain, Hashable, XofHasher};
-use crate::uint::{RandomPrimeWithRng, Retrieve, UintLike, UintModLike};
+use crate::tools::hashing::{uint_from_xof, Chain, Hashable, XofHasher};
+use crate::uint::{RandomPrimeWithRng, Retrieve, ToMontgomery};
+use crypto_bigint::{PowBoundedExp, Square};
 
 const HASH_TAG: &[u8] = b"P_mod";
 
@@ -41,7 +42,7 @@ impl<P: SchemeParams> ModChallenge<P> {
 
         let modulus = pk.modulus_nonzero();
         let ys = (0..P::SECURITY_PARAMETER)
-            .map(|_| <P::Paillier as PaillierParams>::Uint::from_xof(&mut reader, &modulus))
+            .map(|_| uint_from_xof(&mut reader, &modulus))
             .collect();
         Self(ys)
     }
@@ -100,8 +101,8 @@ impl<P: SchemeParams> ModProof<P> {
                         y_mod_q = -y_mod_q;
                     }
                     if *b {
-                        y_mod_p = y_mod_p * omega_mod_p;
-                        y_mod_q = y_mod_q * omega_mod_q;
+                        y_mod_p *= omega_mod_p.clone();
+                        y_mod_q *= omega_mod_q.clone();
                     }
 
                     if let Some((p, q)) = sk.sqrt(&(y_mod_p, y_mod_q)) {
@@ -116,8 +117,9 @@ impl<P: SchemeParams> ModProof<P> {
                 let y_4th_parts = sk.sqrt(&y_sqrt).unwrap();
                 let y_4th = sk.rns_join(&y_4th_parts);
 
-                let y = challenge.0[i].to_mod(pk.precomputed_modulus());
-                let z = y.pow_bounded(sk.inv_modulus());
+                let y = challenge.0[i].to_montgomery(pk.precomputed_modulus());
+                let sk_inv_modulus = sk.inv_modulus();
+                let z = y.pow_bounded_exp(sk_inv_modulus.as_ref(), sk_inv_modulus.bound());
 
                 ModProofElem {
                     x: y_4th,
@@ -159,21 +161,22 @@ impl<P: SchemeParams> ModProof<P> {
         }
 
         let precomputed = pk.precomputed_modulus();
-        let omega_mod = self.commitment.0.to_mod(precomputed);
+        let omega_mod = self.commitment.0.to_montgomery(precomputed);
         for (elem, y) in self.proof.iter().zip(self.challenge.0.iter()) {
-            let z_m = elem.z.to_mod(precomputed);
-            let mut y_m = y.to_mod(precomputed);
-            if z_m.pow_bounded(&pk.modulus_bounded()) != y_m {
+            let z_m = elem.z.to_montgomery(precomputed);
+            let mut y_m = y.to_montgomery(precomputed);
+            let pk_modulus_bounded = pk.modulus_bounded();
+            if z_m.pow_bounded_exp(pk_modulus_bounded.as_ref(), pk_modulus_bounded.bound()) != y_m {
                 return false;
             }
 
             if elem.a {
                 y_m = -y_m;
             }
             if elem.b {
-                y_m = y_m * omega_mod;
+                y_m *= omega_mod;
             }
-            let x = elem.x.to_mod(precomputed);
+            let x = elem.x.to_montgomery(precomputed);
             let x_4 = x.square().square();
             if y_m != x_4 {
                 return false;

synedrion/src/cggmp21/sigma/prm.rs

@@ -14,8 +14,9 @@ use crate::paillier::{PaillierParams, RPParamsMod, RPSecret, SecretKeyPaillierPr
 use crate::tools::hashing::{Chain, Hashable, XofHasher};
 use crate::uint::{
     subtle::{Choice, ConditionallySelectable},
-    Bounded, Retrieve, UintLike, UintModLike,
+    Bounded, Retrieve, ToMontgomery,
 };
+use crypto_bigint::PowBoundedExp;
 
 const HASH_TAG: &[u8] = b"P_prm";
 
@@ -43,7 +44,7 @@ impl<P: SchemeParams> PrmCommitment<P> {
         let commitment = secret
             .0
             .iter()
-            .map(|a| base.pow_bounded(a).retrieve())
+            .map(|a| base.pow_bounded_exp(a.as_ref(), a.bound()).retrieve())
             .collect();
         Self(commitment)
     }
@@ -133,8 +134,8 @@ impl<P: SchemeParams> PrmProof<P> {
         for i in 0..challenge.0.len() {
             let z = self.proof[i];
             let e = challenge.0[i];
-            let a = self.commitment.0[i].to_mod(precomputed);
-            let pwr = setup.base.pow_bounded(&z);
+            let a = self.commitment.0[i].to_montgomery(precomputed);
+            let pwr = setup.base.pow_bounded_exp(z.as_ref(), z.bound());
             let test = if e { pwr == a * setup.power } else { pwr == a };
             if !test {
                 return false;

synedrion/src/curve/arithmetic.rs

@@ -7,9 +7,8 @@ use core::ops::{Add, Mul, Neg, Sub};
 use digest::Digest;
 use k256::elliptic_curve::group::ff::PrimeField;
 use k256::elliptic_curve::{
+    array::{typenum::marker_traits::Unsigned, Array},
     bigint::U256, // Note that this type is different from typenum::U256
-    generic_array::typenum::marker_traits::Unsigned,
-    generic_array::GenericArray,
     ops::Reduce,
     point::AffineCoordinates,
     sec1::{EncodedPoint, FromEncodedPoint, ModulusSize, ToEncodedPoint},
@@ -81,7 +80,7 @@ impl Scalar {
     /// SEC1 specifies to subtract the secp256k1 modulus when the byte array
     /// is larger than the modulus.
     pub fn from_reduced_bytes(bytes: &[u8; 32]) -> Self {
-        let arr = GenericArray::<u8, FieldBytesSize<Secp256k1>>::from(*bytes);
+        let arr = Array::<u8, FieldBytesSize<Secp256k1>>::from(*bytes);
         Self(<BackendScalar as Reduce<U256>>::reduce_bytes(&arr))
     }
 
@@ -107,9 +106,8 @@ impl Scalar {
     }
 
     pub(crate) fn try_from_bytes(bytes: &[u8]) -> Result<Self, String> {
-        let arr =
-            GenericArray::<u8, FieldBytesSize<Secp256k1>>::from_exact_iter(bytes.iter().cloned())
-                .ok_or("Invalid length of a curve scalar")?;
+        let arr = Array::<u8, FieldBytesSize<Secp256k1>>::try_from_iter(bytes.iter().cloned())
+            .map_err(|e| format!("Invalid length of a curve scalar: {:?}", e))?;
 
         BackendScalar::from_repr_vartime(arr)
             .map(Self)
@@ -199,10 +197,13 @@ impl Point {
             .ok_or_else(|| "Invalid curve point representation".into())
     }
 
-    pub(crate) fn to_compressed_array(self) -> GenericArray<u8, CompressedPointSize> {
-        *GenericArray::<u8, CompressedPointSize>::from_slice(
-            self.0.to_affine().to_encoded_point(true).as_bytes(),
-        )
+    pub(crate) fn to_compressed_array(self) -> Array<u8, CompressedPointSize> {
+        self.0
+            .to_affine()
+            .to_encoded_point(true)
+            .as_bytes()
+            .try_into()
+            .expect("An AffinePoint is composed of elements of the correct size and their slice repr fits in the `CompressedPointSize`-sized array.")
     }
 
     pub(crate) fn to_backend(self) -> BackendPoint {

synedrion/src/curve/ecdsa.rs

@@ -21,7 +21,7 @@ impl RecoverableSignature {
         // Normalize the `s` component.
         // `BackendSignature`'s constructor does not require `s` to be normalized,
         // but consequent usage of it may fail otherwise.
-        let signature = signature.normalize_s().unwrap_or(signature);
+        let signature = signature.normalize_s();
 
         let message_bytes = message.to_bytes();
         let recovery_id = RecoveryId::trial_recovery_from_prehash(