Add DST to DDH and key consistency proofs

Adds a domain-separation-tag parameter to the Fiat-Shamir challenges of:
- DdhTupleNizk (fastcrypto/src/nizk.rs)
- ZeroProof, ConsistencyProof, KeyConsistencyProof (fastcrypto/src/twisted_elgamal.rs)
- VerifiableKeyEncapsulation, which threads the DST through to its
  inner KeyConsistencyProof.

The bulletproofs range proofs intentionally do not take a DST, to match
the Move and TypeScript implementations in mystenlabs/contra.

Author: jonas-lj

fastcrypto/src/nizk.rs

@@ -31,28 +31,38 @@ where
     <G as GroupElement>::ScalarType: FiatShamirChallenge,
 {
     /// Create a new NIZKPoK for the DDH tuple `(G, H=eG, xG, xH)` using the given RNG.
+    /// `dst` is a domain separation tag bound into the Fiat-Shamir challenge; the same `dst` must
+    /// be passed to [Self::verify].
     pub fn create<R: AllowedRng>(
         x: &G::ScalarType,
         g: &G,
         h: &G,
         x_g: &G,
         x_h: &G,
+        dst: &[u8],
         rng: &mut R,
     ) -> Self {
         let r = G::ScalarType::rand(rng);
         let a = *g * r;
         let b = *h * r;
-        let challenge = Self::fiat_shamir_challenge(g, h, x_g, x_h, &a, &b);
+        let challenge = Self::fiat_shamir_challenge(g, h, x_g, x_h, &a, &b, dst);
         let z = challenge * x + r;
         DdhTupleNizk { a, b, z }
     }
 
-    /// Verify this NIZKPoK.
-    pub fn verify(&self, g: &G, h: &G, x_g: &G, x_h: &G) -> FastCryptoResult<()> {
+    /// Verify this NIZKPoK. `dst` must match the value used in [Self::create].
+    pub fn verify(
+        &self,
+        g: &G,
+        h: &G,
+        x_g: &G,
+        x_h: &G,
+        dst: &[u8],
+    ) -> FastCryptoResult<()> {
         if *g == G::zero() || *h == G::zero() || *x_g == G::zero() || *x_h == G::zero() {
             return Err(FastCryptoError::InvalidProof);
         }
-        let challenge = Self::fiat_shamir_challenge(g, h, x_g, x_h, &self.a, &self.b);
+        let challenge = Self::fiat_shamir_challenge(g, h, x_g, x_h, &self.a, &self.b, dst);
         if !is_valid_relation(&self.a, x_g, g, &self.z, &challenge)
             || !is_valid_relation(
                 &self.b, // B
@@ -66,8 +76,16 @@ where
     }
 
     /// Returns the challenge for Fiat-Shamir.
-    fn fiat_shamir_challenge(g: &G, h: &G, x_g: &G, x_h: &G, a: &G, b: &G) -> G::ScalarType {
-        let output = Sha3_256::digest(bcs::to_bytes(&(g, h, x_g, x_h, a, b)).unwrap());
+    fn fiat_shamir_challenge(
+        g: &G,
+        h: &G,
+        x_g: &G,
+        x_h: &G,
+        a: &G,
+        b: &G,
+        dst: &[u8],
+    ) -> G::ScalarType {
+        let output = Sha3_256::digest(bcs::to_bytes(&(dst, g, h, x_g, x_h, a, b)).unwrap());
         G::ScalarType::fiat_shamir_reduction_to_group_element(&output.digest)
     }
 }
@@ -107,31 +125,35 @@ mod tests {
 
     #[test]
     fn test_nizk_flow() {
+        let dst = b"test";
         let e = S::rand(&mut thread_rng());
         let x = S::rand(&mut thread_rng());
         let g = G::generator() * S::rand(&mut thread_rng());
         let h = g * e;
         let x_g = g * x;
         let x_h = h * x;
-        let nizk = DdhTupleNizk::create(&x, &g, &h, &x_g, &x_h, &mut thread_rng());
-        assert!(nizk.verify(&g, &h, &x_g, &x_h).is_ok());
+        let nizk = DdhTupleNizk::create(&x, &g, &h, &x_g, &x_h, dst, &mut thread_rng());
+        assert!(nizk.verify(&g, &h, &x_g, &x_h, dst).is_ok());
+
+        // A different DST must not verify
+        assert!(nizk.verify(&g, &h, &x_g, &x_h, b"other").is_err());
 
         let invalid_witness = x + S::generator();
         let invalid_nizk =
-            DdhTupleNizk::create(&invalid_witness, &g, &h, &x_g, &x_h, &mut thread_rng());
-        assert!(invalid_nizk.verify(&g, &h, &x_g, &x_h).is_err());
+            DdhTupleNizk::create(&invalid_witness, &g, &h, &x_g, &x_h, dst, &mut thread_rng());
+        assert!(invalid_nizk.verify(&g, &h, &x_g, &x_h, dst).is_err());
 
         let other_g = g + G::generator();
-        assert!(nizk.verify(&other_g, &h, &x_g, &x_h).is_err());
+        assert!(nizk.verify(&other_g, &h, &x_g, &x_h, dst).is_err());
 
         let other_h = h + G::generator();
-        assert!(nizk.verify(&g, &other_h, &x_g, &x_h).is_err());
+        assert!(nizk.verify(&g, &other_h, &x_g, &x_h, dst).is_err());
 
         let other_x_g = x_g + G::generator();
-        assert!(nizk.verify(&g, &h, &other_x_g, &x_h).is_err());
+        assert!(nizk.verify(&g, &h, &other_x_g, &x_h, dst).is_err());
 
         let other_x_h = x_h + G::generator();
-        assert!(nizk.verify(&g, &h, &x_g, &other_x_h).is_err());
+        assert!(nizk.verify(&g, &h, &x_g, &other_x_h, dst).is_err());
     }
 
     #[test]
@@ -145,10 +167,10 @@ mod tests {
         let r = S::from(91u64);
         let a = g * r;
         let b = h * r;
-        let c = DdhTupleNizk::fiat_shamir_challenge(&g, &h, &x_g, &x_h, &a, &b);
+        let c = DdhTupleNizk::fiat_shamir_challenge(&g, &h, &x_g, &x_h, &a, &b, b"test");
         assert_eq!(
             &c.to_byte_array(),
-            Hex::decode("30db2f4121471c4af67d2dcfdede1f4aefb15475867c20c0dd5c228c0721f80e")
+            Hex::decode("308ef93a3c19c20dcbf293b99363eeb4158c90aff86fe006477c80f6140e6a0f")
                 .unwrap()
                 .as_slice()
         );
@@ -157,30 +179,32 @@ mod tests {
     #[test]
     fn test_invalid_proofs() {
         // x_g/h_g/h=inf should be rejected
+        let dst = b"test";
         let e = S::zero();
         let x = S::rand(&mut thread_rng());
         let g = G::generator() * S::rand(&mut thread_rng());
         let h = g * e;
         let x_g = g * x;
         let x_h = h * x;
-        let nizk = DdhTupleNizk::create(&x, &g, &h, &x_g, &x_h, &mut thread_rng());
+        let nizk = DdhTupleNizk::create(&x, &g, &h, &x_g, &x_h, dst, &mut thread_rng());
 
-        assert!(nizk.verify(&G::zero(), &h, &x_g, &x_h).is_err());
-        assert!(nizk.verify(&g, &G::zero(), &x_g, &x_h).is_err());
-        assert!(nizk.verify(&g, &h, &G::zero(), &x_h).is_err());
-        assert!(nizk.verify(&g, &h, &x_g, &G::zero()).is_err());
+        assert!(nizk.verify(&G::zero(), &h, &x_g, &x_h, dst).is_err());
+        assert!(nizk.verify(&g, &G::zero(), &x_g, &x_h, dst).is_err());
+        assert!(nizk.verify(&g, &h, &G::zero(), &x_h, dst).is_err());
+        assert!(nizk.verify(&g, &h, &x_g, &G::zero(), dst).is_err());
     }
 
     #[test]
     fn test_serde() {
+        let dst = b"test";
         let e = S::rand(&mut thread_rng());
         let x2 = S::rand(&mut thread_rng());
         let g = G::generator() * S::rand(&mut thread_rng());
         let h = g * e;
         let x_g = g * x2;
         let x_h = h * x2;
-        let nizk = DdhTupleNizk::create(&x2, &g, &h, &x_g, &x_h, &mut thread_rng());
-        assert!(nizk.verify(&g, &h, &x_g, &x_h).is_ok());
+        let nizk = DdhTupleNizk::create(&x2, &g, &h, &x_g, &x_h, dst, &mut thread_rng());
+        assert!(nizk.verify(&g, &h, &x_g, &x_h, dst).is_ok());
 
         let as_bytes = bcs::to_bytes(&nizk).unwrap();
         let nizk2: DdhTupleNizk<G> = bcs::from_bytes(&as_bytes).unwrap();