From 003e58e735a18720b8574083ac9d173bed309c27 Mon Sep 17 00:00:00 2001
From: Al-Kindi-0 <82364884+Al-Kindi-0@users.noreply.github.com>
Date: Fri, 3 Jan 2025 16:01:05 +0100
Subject: [PATCH] feat: simplify seed construction

---
 Cargo.lock                     | 27 ----------------
 Cargo.toml                     |  1 -
 src/dsa/rpo_stark/stark/mod.rs | 58 +++++++++++++++-------------------
 3 files changed, 25 insertions(+), 61 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index e00fa593..56f7d47a 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -341,7 +341,6 @@ checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
 dependencies = [
  "block-buffer",
  "crypto-common",
- "subtle",
 ]
 
 [[package]]
@@ -429,15 +428,6 @@ version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
 
-[[package]]
-name = "hmac"
-version = "0.12.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e"
-dependencies = [
- "digest",
-]
-
 [[package]]
 name = "is-terminal"
 version = "0.4.13"
@@ -553,7 +543,6 @@ dependencies = [
  "rand_chacha",
  "rand_core",
  "rayon",
- "rfc6979",
  "seq-macro",
  "serde",
  "sha3",
@@ -828,16 +817,6 @@ version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"
 
-[[package]]
-name = "rfc6979"
-version = "0.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2"
-dependencies = [
- "hmac",
- "subtle",
-]
-
 [[package]]
 name = "rustix"
 version = "0.38.42"
@@ -938,12 +917,6 @@ version = "0.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
 
-[[package]]
-name = "subtle"
-version = "2.6.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
-
 [[package]]
 name = "syn"
 version = "2.0.90"
diff --git a/Cargo.toml b/Cargo.toml
index 4e3c7003..0c0d6037 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -75,7 +75,6 @@ rand_chacha = { version = "0.3", default-features = false }
 rand_core = { version = "0.6", default-features = false }
 rand-utils = {git = 'https://github.com/Al-Kindi-0/winterfell', package = "winter-rand-utils" , branch = 'al-zk', optional = true }
 rayon = { version = "1.10", optional = true }
-rfc6979 = { version = "0.4", default-features = false }
 serde = { version = "1.0", default-features = false, optional = true, features = ["derive"] }
 sha3 = { version = "0.10", default-features = false }
 thiserror = { version = "2.0", default-features = false }
diff --git a/src/dsa/rpo_stark/stark/mod.rs b/src/dsa/rpo_stark/stark/mod.rs
index fe22338e..ef311f86 100644
--- a/src/dsa/rpo_stark/stark/mod.rs
+++ b/src/dsa/rpo_stark/stark/mod.rs
@@ -1,17 +1,9 @@
 use core::marker::PhantomData;
+use std::vec::Vec;
 
 use prover::RpoSignatureProver;
 use rand::{distributions::Standard, prelude::Distribution};
 use rand_chacha::ChaCha20Rng;
-use rfc6979::{consts::U32, ByteArray, HmacDrbg};
-use sha3::{
-    digest::{
-        core_api::BlockSizeUser,
-        generic_array::{ArrayLength, GenericArray},
-        Digest as GenericDigest, FixedOutput, FixedOutputReset,
-    },
-    Sha3_256,
-};
 use winter_crypto::{ElementHasher, Hasher, SaltedMerkleTree};
 use winter_math::fields::f64::BaseElement;
 use winter_prover::{Proof, ProofOptions, Prover};
@@ -50,7 +42,7 @@ where
         let trace = prover.build_trace(sk);
 
         // generate the initial seed for the PRNG used for zero-knowledge
-        let seed: [u8; 32] = generate_seed::<Sha3_256, U32>(sk, msg).into();
+        let seed: [u8; 32] = generate_seed(sk, msg);
 
         // generate the proof
         prover.prove(trace, Some(seed)).expect("failed to generate the signature")
@@ -78,33 +70,33 @@ where
 
 /// Deterministically generates a seed for seeding the PRNG used for zero-knowledge.
 ///
-/// This uses the Algorithm described in [RFC 6979](https://tools.ietf.org/html/rfc6979#section-3) § 3.2.
-/// The direct approach would be to just use the concatentation of the secret key and the message as
-/// the value of the seed but we opt instead to use it as the seed of an `HMAC_DRBG` PRNG similar
-/// to how it is used in `RFC 6979` to generate the value `k`.
+/// This uses the argument described in [RFC 6979](https://datatracker.ietf.org/doc/html/rfc6979#section-3.5)
+/// § 3.5 where the concatenation of the private key and the hashed message, i.e., sk || H(m), is
+/// used in order to construct the initial seed of a PRNG.
 ///
-/// Note that in `RFC 6979` the hash function used in the `HMAC_DRBG` PRNG is chosen to be the same
-/// hash function used in hashing the message. In Section 3.6., however, a variant allowing
-/// different hash functions is discussed and the overall security is claimed to be limited by
-/// the weaker of the two.
+/// Note that we hash in also a context string in order to domain separate between different
+/// instantiations of the signature scheme.
 #[inline]
-pub fn generate_seed<D, N>(
-    sk: [BaseElement; DIGEST_SIZE],
-    msg: [BaseElement; DIGEST_SIZE],
-) -> ByteArray<N>
-where
-    D: GenericDigest + BlockSizeUser + FixedOutput<OutputSize = N> + FixedOutputReset,
-    N: ArrayLength<u8>,
-{
+pub fn generate_seed(sk: [BaseElement; DIGEST_SIZE], msg: [BaseElement; DIGEST_SIZE]) -> [u8; 32] {
+    let context_bytes = "
+    Seed for PRNG used for Zero-knowledge in RPO-STARK signature scheme:
+        1. Version: Conjectured security
+        2. FRI queries: 30
+        3. Blowup factor: 8
+        4. Grinding bits: 12
+        5. Field extension degree: 2
+        6. FRI folding factor: 4
+        7. FRI remainder polynomial max degree: 7
+    "
+    .to_bytes();
     let sk_bytes = sk.to_bytes();
-    let sk_byte_array: &GenericArray<u8, N> = ByteArray::from_slice(&sk_bytes);
     let msg_bytes = msg.to_bytes();
-    let msg_byte_array: &GenericArray<u8, N> = ByteArray::from_slice(&msg_bytes);
-
-    let mut hmac_drbg = HmacDrbg::<D>::new(sk_byte_array, msg_byte_array, &[]);
 
-    let mut seed = ByteArray::<N>::default();
-    hmac_drbg.fill_bytes(&mut seed);
+    let total_length = context_bytes.len() + sk_bytes.len() + msg_bytes.len();
+    let mut buffer = Vec::with_capacity(total_length);
+    buffer.extend_from_slice(&context_bytes);
+    buffer.extend_from_slice(&sk_bytes);
+    buffer.extend_from_slice(&msg_bytes);
 
-    seed
+    blake3::hash(&buffer).into()
 }