Merge pull request #58 from chain/oleg/keccak-duplex

hdevalence · web-flow · commit 07758a9f6cf8 · 2018-04-26T11:33:46.000-07:00
ProofTranscript: use stock `tiny-keccak` crate with duplex construction
diff --git a/Cargo.toml b/Cargo.toml
@@ -19,10 +19,7 @@ rand = "^0.4"
 byteorder = "1.2.1"
 serde = "1"
 serde_derive = "1"
-
-[dependencies.tiny-keccak]
-git = 'https://github.com/chain/tiny-keccak.git'
-rev = '5925f81b3c351440283c3328e2345d982aac0f6e'
+tiny-keccak = "1.4.1"
 
 [dev-dependencies]
 hex = "^0.3"
diff --git a/src/proof_transcript.rs b/src/proof_transcript.rs
@@ -6,10 +6,6 @@
 
 use curve25519_dalek::scalar::Scalar;
 
-// XXX This uses experiment fork of tiny_keccak with half-duplex
-// support that we require in this implementation.
-// Review this after this PR is merged or updated:
-// https://github.com/debris/tiny-keccak/pull/24
 use tiny_keccak::Keccak;
 
 use byteorder::{ByteOrder, LittleEndian};
@@ -31,12 +27,13 @@ use byteorder::{ByteOrder, LittleEndian};
 /// ensure that their challenge values are bound to the *entire* proof
 /// transcript, not just the sub-protocol.
 ///
-/// Internally, the `ProofTranscript` is supposed to use Keccak to
-/// absorb incoming messages and to squeeze challenges.  The
-/// construction currently used is ad-hoc, has no security analysis,
-/// and is **only suitable for testing**.
+/// ## Warning
 ///
-/// # Example
+/// Internally, the `ProofTranscript` uses ad-hoc duplex construction
+/// using Keccak that absorbs incoming messages and squeezes challenges.
+/// There is no security analysis yet, so it is **only suitable for testing**.
+///
+/// ## Example
 ///
 /// ```
 /// # extern crate curve25519_dalek;
@@ -63,41 +60,49 @@ use byteorder::{ByteOrder, LittleEndian};
 #[derive(Clone)]
 pub struct ProofTranscript {
     hash: Keccak,
+    rate: usize,
+    write_offset: usize, // index within a block where the message must be absorbed
 }
 
 impl ProofTranscript {
+    // Implementation notes
+    //
+    // The implementation has 3 layers:
+    // 1. commit/challenge - take input/output buffers <64K, responsible for disambiguation (length prefixing)
+    // 2. write/read       - take arbitrary buffers, responsible for splitting data over Keccak-f invocations and padding
+    // 3. absorb/squeeze   - actual sponge operations, outer layers ensure that absorb/squeeze do not perform unnecessary permutation
+    //
+
     /// Begin a new, empty proof transcript, using the given `label`
     /// for domain separation.
     pub fn new(label: &[u8]) -> Self {
         let mut ro = ProofTranscript {
+            // NOTE: if you change the security parameter, also change the rate below
             hash: Keccak::new_shake128(),
+            rate: 1600/8 - (2*128/8), // 168 bytes
+            write_offset: 0,
         };
+        // We will bump the version prefix each time we
+        // make a breaking change in order to disambiguate
+        // from the previous versions of this implementation.
+        ro.commit(b"ProofTranscript v2");
         ro.commit(label);
-        // makes sure the label is disambiguated from the rest of the messages.
-        ro.pad();
         ro
     }
 
-    /// Commit a `message` to the proof transcript.
+    /// Commit a `input` to the proof transcript.
     ///
     /// # Note
     ///
-    /// Each message must be shorter than 64Kb (65536 bytes).
-    pub fn commit(&mut self, message: &[u8]) {
-        let len = message.len();
+    /// Each input must be ≤ than the number of bytes
+    /// returned by `max_commit_size()`.
+    pub fn commit(&mut self, input: &[u8]) {
+        let len = input.len();
         if len > (u16::max_value() as usize) {
-            panic!("Committed message must be less than 64Kb!");
+            panic!("Committed input must be less than 64Kb!");
         }
-
-        let mut len_prefix = [0u8; 2];
-        LittleEndian::write_u16(&mut len_prefix, len as u16);
-
-        // XXX we rely on tiny_keccak experimental support for half-duplex mode and
-        // correct switching from absorbing to squeezing and back.
-        // Review this after this PR is merged or updated:
-        // https://github.com/debris/tiny-keccak/pull/24
-        self.hash.absorb(&len_prefix);
-        self.hash.absorb(message);
+        self.write_u16(len as u16);
+        self.write(input);
     }
 
     /// Commit a `u64` to the proof transcript.
@@ -112,30 +117,79 @@ impl ProofTranscript {
     }
 
     /// Extracts an arbitrary-sized challenge byte slice.
-    pub fn challenge_bytes(&mut self, mut output: &mut [u8]) {
-        // XXX we rely on tiny_keccak experimental support for half-duplex mode and
-        // correct switching from absorbing to squeezing and back.
-        // Review this after this PR is merged or updated:
-        // https://github.com/debris/tiny-keccak/pull/24
-        self.hash.squeeze(&mut output);
+    ///
+    /// Note: each call performs at least one Keccak permutation,
+    /// so if you need to read multiple logical challenges at once,
+    /// you should read a bigger slice in one call for minimal overhead.
+    pub fn challenge_bytes(&mut self, output: &mut [u8]) {
+        let len = output.len();
+        if output.len() > (u16::max_value() as usize) {
+            panic!("Challenge output must be less than 64Kb!");
+        }
+        // Note: when reading, length prefix N is followed by keccak padding 10*1
+        // as if empty message was written; when writing, length prefix N is followed
+        // by N bytes followed by keccak padding 10*1.
+        // This creates ambiguity only for case N=0 (empty write or empty read),
+        // which is safe as no information is actually transmitted in either direction.
+        self.write_u16(len as u16);
+        self.read(output);
     }
 
     /// Extracts a challenge scalar.
     ///
     /// This is a convenience method that extracts 64 bytes and
     /// reduces modulo the group order.
+    ///
+    /// Note: each call performs at least one Keccak permutation,
+    /// so if you need to read multiple challenge scalars,
+    /// for the minimal overhead you should read `n*64` bytes
+    /// using the `challenge_bytes` method and reduce each
+    /// 64-byte window into a scalar yourself.
     pub fn challenge_scalar(&mut self) -> Scalar {
         let mut buf = [0u8; 64];
         self.challenge_bytes(&mut buf);
         Scalar::from_bytes_mod_order_wide(&buf)
     }
 
-    /// Pad separates the prior operations by padding
-    /// the rest of the block with zeroes and applying a permutation.
-    /// Each incoming message is length-prefixed anyway, but padding
-    /// enables pre-computing and re-using the oracle state.
-    fn pad(&mut self) {
+    /// Internal API: writes 2-byte length prefix.
+    fn write_u16(&mut self, integer: u16) {
+        let mut intbuf = [0u8; 2];
+        LittleEndian::write_u16(&mut intbuf, integer);
+        self.write(&intbuf);
+    }
+
+    /// Internal API: writes arbitrary byte slice
+    /// splitting it over multiple duplex calls if needed.
+    fn write(&mut self, mut input: &[u8]) {
+        // `write` can be called multiple times.
+        // If we overflow the available room (`rate-1` at most)
+        // we absorb what we can, add Keccak padding, permute and continue.
+        let mut room = self.rate - 1 - self.write_offset; // 1 byte is reserved for keccak padding 10*1.
+        while input.len() > room {
+            self.hash.absorb(&input[..room]);
+            self.hash.pad();
+            self.hash.fill_block();
+            self.write_offset = 0;
+            room = self.rate - 1;
+            input = &input[room..];
+        }
+        self.hash.absorb(input);
+        self.write_offset += input.len(); // could end up == (rate-1)
+    }
+
+    /// Internal API: reads arbitrary byte slice
+    /// splitting it over multiple duplex calls if needed.
+    fn read(&mut self, output: &mut [u8]) {
+        // Note 1: `read` is called only once after `write`, so we do
+        //         not need to support multiple reads from some offset.
+        //         We only need to complete the pending duplex call by padding and permuting.
+        // Note 2: Since we hash in the total output buffer length,
+        //         we can use default squeeze behaviour w/o simulating blank inputs:
+        //         the resulting byte-stream will be disambiguated by that length prefix and keccak padding.
+        self.hash.pad();
         self.hash.fill_block();
+        self.write_offset = 0;
+        self.hash.squeeze(output);
     }
 }
 
@@ -149,61 +203,56 @@ mod tests {
         {
             let mut ro = ProofTranscript::new(b"TestProtocol");
             ro.commit(b"test");
-            {
-                let mut ch = [0u8; 32];
-                ro.challenge_bytes(&mut ch);
-                assert_eq!(
-                    hex::encode(ch),
-                    "9ba30a0e71e8632b55fbae92495440b6afb5d2646ba6b1bb419933d97e06b810"
-                );
-                ro.challenge_bytes(&mut ch);
-                assert_eq!(
-                    hex::encode(ch),
-                    "add523844517c2320fc23ca72423b0ee072c6d076b05a6a7b6f46d8d2e322f94"
-                );
-                ro.challenge_bytes(&mut ch);
-                assert_eq!(
-                    hex::encode(ch),
-                    "ac279a11cac0b1271d210592c552d719d82d67c82d7f86772ed7bc6618b0927c"
-                );
-            }
-
-            let mut ro = ProofTranscript::new(b"TestProtocol");
-            ro.commit(b"test");
-            {
-                let mut ch = [0u8; 16];
-                ro.challenge_bytes(&mut ch);
-                assert_eq!(hex::encode(ch), "9ba30a0e71e8632b55fbae92495440b6");
-                ro.challenge_bytes(&mut ch);
-                assert_eq!(hex::encode(ch), "afb5d2646ba6b1bb419933d97e06b810");
-                ro.challenge_bytes(&mut ch);
-                assert_eq!(hex::encode(ch), "add523844517c2320fc23ca72423b0ee");
-            }
+            let mut ch = [0u8; 32];
+            ro.challenge_bytes(&mut ch);
+            assert_eq!(
+                hex::encode(ch),
+                "dec44a90f423c15874f7c0afaf62cc6cc0987bf428202cb3508fc7d7c9b5b30a"
+            );
+            ro.challenge_bytes(&mut ch);
+            assert_eq!(
+                hex::encode(ch),
+                "f83256ef4964d71ec6f2dd2f79db70820c781bd8c3d1fceec7cbfa4965d4e530"
+            );
+            ro.challenge_bytes(&mut ch);
+            assert_eq!(
+                hex::encode(ch),
+                "962f9ef161604c5dcbe3387773b293a0e27a6e6ee14ec5d9f6c78a45c36fc0e1"
+            );
+        }
 
+        {
             let mut ro = ProofTranscript::new(b"TestProtocol");
             ro.commit(b"test");
-            {
-                let mut ch = [0u8; 16];
-                ro.challenge_bytes(&mut ch);
-                assert_eq!(hex::encode(ch), "9ba30a0e71e8632b55fbae92495440b6");
-                ro.commit(b"extra commitment");
-                ro.challenge_bytes(&mut ch);
-                assert_eq!(hex::encode(ch), "11536e09cedbb6b302d8c7cd96471be5");
-                ro.challenge_bytes(&mut ch);
-                assert_eq!(hex::encode(ch), "058c383da5f2e193a381aaa420b505b2");
-            }
+            let mut ch = [0u8; 32];
+            ro.challenge_bytes(&mut ch);
+            assert_eq!(
+                hex::encode(ch),
+                "dec44a90f423c15874f7c0afaf62cc6cc0987bf428202cb3508fc7d7c9b5b30a"
+            );
+            ro.commit(b"extra commitment");
+            ro.challenge_bytes(&mut ch);
+            assert_eq!(
+                hex::encode(ch),
+                "edf99afca6c21e4240f33826d60cb1b7c5d59d3dd363d2928bab7b8f94d24eaa"
+            );
+            ro.challenge_bytes(&mut ch);
+            assert_eq!(
+                hex::encode(ch),
+                "a42eabb9d1c9c73dc8c33c0933cee8d5fabd48fcab686d9fcb8f1680841e4369"
+            );
         }
     }
 
     #[test]
-    fn messages_are_disambiguated_by_length_prefix() {
+    fn inputs_are_disambiguated_by_length_prefix() {
         {
             let mut ro = ProofTranscript::new(b"TestProtocol");
             ro.commit(b"msg1msg2");
             {
                 let mut ch = [0u8; 8];
                 ro.challenge_bytes(&mut ch);
-                assert_eq!(hex::encode(ch), "1ad843ea2bf7f8b6");
+                assert_eq!(hex::encode(ch), "3a941266af4275d5");
             }
         }
         {
@@ -213,7 +262,7 @@ mod tests {
             {
                 let mut ch = [0u8; 8];
                 ro.challenge_bytes(&mut ch);
-                assert_eq!(hex::encode(ch), "79abbe29d8c33bb0");
+                assert_eq!(hex::encode(ch), "644d94299bcc5590");
             }
         }
         {
@@ -223,7 +272,7 @@ mod tests {
             {
                 let mut ch = [0u8; 8];
                 ro.challenge_bytes(&mut ch);
-                assert_eq!(hex::encode(ch), "f88d0f790cde50d5");
+                assert_eq!(hex::encode(ch), "14f18d260e679f9a");
             }
         }
         {
@@ -234,8 +283,35 @@ mod tests {
             {
                 let mut ch = [0u8; 8];
                 ro.challenge_bytes(&mut ch);
-                assert_eq!(hex::encode(ch), "90ca22b443fb78a1");
+                assert_eq!(hex::encode(ch), "09dccc9d7dfa6f37");
             }
         }
     }
+
+
+    #[test]
+    fn outputs_are_disambiguated_by_length_prefix() {
+        let mut ro = ProofTranscript::new(b"TestProtocol");
+        {
+            let mut ch = [0u8; 16];
+            ro.challenge_bytes(&mut ch);
+            assert_eq!(hex::encode(ch), "60890c8d774932db1aba587941cbffca");
+            ro.challenge_bytes(&mut ch);
+            assert_eq!(hex::encode(ch), "bb9308c7d34769ae2a3c040394efb2ab");
+        }
+
+        let mut ro = ProofTranscript::new(b"TestProtocol");
+        {
+            let mut ch = [0u8; 8];
+            ro.challenge_bytes(&mut ch);
+            assert_eq!(hex::encode(ch), "cc76fac64922bc58");
+            ro.challenge_bytes(&mut ch);
+            assert_eq!(hex::encode(ch), "d259804aae5c3246");
+            ro.challenge_bytes(&mut ch);
+            assert_eq!(hex::encode(ch), "6d3a732156286895");
+            ro.challenge_bytes(&mut ch);
+            assert_eq!(hex::encode(ch), "2165dcd38764b5ae");
+        }
+    }
+
 }
