Merge branch 'zkcrypto:main' into main

.github/workflows/ci.yml

@@ -43,22 +43,12 @@ jobs:
         uses: actions-rs/cargo@v1
         with:
           command: build
-          args: --verbose --release --tests --features endo,experimental
+          args: --verbose --release --tests --features experimental,zeroize
       - name: Run tests
         uses: actions-rs/cargo@v1
         with:
           command: test
-          args: --verbose --release --features endo,experimental
-      - name: Build tests (no endomorphism)
-        uses: actions-rs/cargo@v1
-        with:
-          command: build
-          args: --verbose --release --tests
-      - name: Run tests (no endomorphism)
-        uses: actions-rs/cargo@v1
-        with:
-          command: test
-          args: --verbose --release
+          args: --verbose --release --features experimental,zeroize
 
   no-std:
     name: Check no-std target ${{ matrix.target }}

Cargo.toml

@@ -9,7 +9,7 @@ homepage = "https://github.com/zkcrypto/bls12_381"
 license = "MIT/Apache-2.0"
 name = "bls12_381"
 repository = "https://github.com/zkcrypto/bls12_381"
-version = "0.5.0"
+version = "0.6.0"
 edition = "2018"
 
 [package.metadata.docs.rs]
@@ -37,16 +37,16 @@ version = "0.9"
 optional = true
 
 [dependencies.ff]
-version = "0.10"
+version = "0.11"
 default-features = false
 
 [dependencies.group]
-version = "0.10"
+version = "0.11"
 default-features = false
 optional = true
 
 [dependencies.pairing]
-version = "0.20"
+version = "0.21"
 optional = true
 
 [dependencies.rand_core]
@@ -57,15 +57,16 @@ default-features = false
 version = "2.2.1"
 default-features = false
 
+[dependencies.zeroize]
+version = "1.4"
+default-features = false
+optional = true
+
 [features]
-default = ["groups", "pairings", "alloc", "bits", "endo"]
+default = ["groups", "pairings", "alloc", "bits"]
 bits = ["ff/bits"]
 groups = ["group"]
 pairings = ["groups", "pairing"]
 alloc = ["group/alloc"]
 experimental = ["digest"]
 nightly = ["subtle/nightly"]
-
-# Deprecated.
-# GLV patents US7110538B2 and US7995752B2 expired in September 2020.
-endo = []

README.md

@@ -14,7 +14,6 @@ This crate provides an implementation of the BLS12-381 pairing-friendly elliptic
 * `pairings` (on by default): Enables some APIs for performing pairings.
 * `alloc` (on by default): Enables APIs that require an allocator; these include pairing optimizations.
 * `nightly`: Enables `subtle/nightly` which tries to prevent compiler optimizations that could jeopardize constant time operations. Requires the nightly Rust compiler.
-* `endo` (on by default): Enables optimizations that leverage curve endomorphisms. Deprecated, will be removed in a future release.
 * `experimental`: Enables experimental features. These features have no backwards-compatibility guarantees and may change at any time; users that depend on specific behaviour should pin an exact version of this crate. The current list of experimental features:
   * Hashing to curves ([Internet Draft v11](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11))
 

RELEASES.md

@@ -1,3 +1,21 @@
+# 0.6.0
+
+## Fixed
+- `bls12_381::Gt::default()` now returns `Gt::identity()` instead of a nonsensical value.
+
+## Added
+- Zeroization support for most public types, behind the `zeroize` feature flag.
+- `bls12_381::MillerLoopResult` trait implementations:
+  - `Default`
+  - `AddAssign<MillerLoopResult>`
+  - `AddAssign<&MillerLoopResult>`
+
+## Changed
+- Bumped dependencies to `ff 0.11`, `group 0.11`, `pairing 0.21`.
+
+## Removed
+- The deprecated `endo` feature flag.
+
 # 0.5.0
 
 ## Added

src/fp.rs

@@ -32,6 +32,9 @@ impl Default for Fp {
     }
 }
 
+#[cfg(feature = "zeroize")]
+impl zeroize::DefaultIsZeroes for Fp {}
+
 impl ConstantTimeEq for Fp {
     fn ct_eq(&self, other: &Self) -> Choice {
         self.0[0].ct_eq(&other.0[0])
@@ -914,3 +917,13 @@ fn test_lexicographic_largest() {
         .lexicographically_largest()
     ));
 }
+
+#[cfg(feature = "zeroize")]
+#[test]
+fn test_zeroize() {
+    use zeroize::Zeroize;
+
+    let mut a = Fp::one();
+    a.zeroize();
+    assert!(bool::from(a.is_zero()));
+}

src/fp12.rs

@@ -62,6 +62,9 @@ impl Default for Fp12 {
     }
 }
 
+#[cfg(feature = "zeroize")]
+impl zeroize::DefaultIsZeroes for Fp12 {}
+
 impl fmt::Debug for Fp12 {
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
         write!(f, "{:?} + ({:?})*w", self.c0, self.c1)
@@ -644,3 +647,13 @@ fn test_arithmetic() {
             .frobenius_map()
     );
 }
+
+#[cfg(feature = "zeroize")]
+#[test]
+fn test_zeroize() {
+    use zeroize::Zeroize;
+
+    let mut a = Fp12::one();
+    a.zeroize();
+    assert!(bool::from(a.is_zero()));
+}

src/fp2.rs

@@ -25,6 +25,9 @@ impl Default for Fp2 {
     }
 }
 
+#[cfg(feature = "zeroize")]
+impl zeroize::DefaultIsZeroes for Fp2 {}
+
 impl From<Fp> for Fp2 {
     fn from(f: Fp) -> Fp2 {
         Fp2 {
@@ -890,3 +893,13 @@ fn test_lexicographic_largest() {
         .lexicographically_largest()
     ));
 }
+
+#[cfg(feature = "zeroize")]
+#[test]
+fn test_zeroize() {
+    use zeroize::Zeroize;
+
+    let mut a = Fp2::one();
+    a.zeroize();
+    assert!(bool::from(a.is_zero()));
+}

src/fp6.rs

@@ -55,6 +55,9 @@ impl Default for Fp6 {
     }
 }
 
+#[cfg(feature = "zeroize")]
+impl zeroize::DefaultIsZeroes for Fp6 {}
+
 impl fmt::Debug for Fp6 {
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
         write!(f, "{:?} + ({:?})*v + ({:?})*v^2", self.c0, self.c1, self.c2)
@@ -514,3 +517,13 @@ fn test_arithmetic() {
     );
     assert_eq!(a.invert().unwrap() * a, Fp6::one());
 }
+
+#[cfg(feature = "zeroize")]
+#[test]
+fn test_zeroize() {
+    use zeroize::Zeroize;
+
+    let mut a = Fp6::one();
+    a.zeroize();
+    assert!(bool::from(a.is_zero()));
+}

src/g1.rs

@@ -37,6 +37,9 @@ impl Default for G1Affine {
     }
 }
 
+#[cfg(feature = "zeroize")]
+impl zeroize::DefaultIsZeroes for G1Affine {}
+
 impl fmt::Display for G1Affine {
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
         write!(f, "{:?}", self)
@@ -430,6 +433,9 @@ impl Default for G1Projective {
     }
 }
 
+#[cfg(feature = "zeroize")]
+impl zeroize::DefaultIsZeroes for G1Projective {}
+
 impl fmt::Display for G1Projective {
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
         write!(f, "{:?}", self)
@@ -817,6 +823,7 @@ impl G1Projective {
     }
 }
 
+#[derive(Clone, Copy)]
 pub struct G1Compressed([u8; 48]);
 
 impl fmt::Debug for G1Compressed {
@@ -831,6 +838,9 @@ impl Default for G1Compressed {
     }
 }
 
+#[cfg(feature = "zeroize")]
+impl zeroize::DefaultIsZeroes for G1Compressed {}
+
 impl AsRef<[u8]> for G1Compressed {
     fn as_ref(&self) -> &[u8] {
         &self.0
@@ -843,6 +853,21 @@ impl AsMut<[u8]> for G1Compressed {
     }
 }
 
+impl ConstantTimeEq for G1Compressed {
+    fn ct_eq(&self, other: &Self) -> Choice {
+        self.0.ct_eq(&other.0)
+    }
+}
+
+impl Eq for G1Compressed {}
+impl PartialEq for G1Compressed {
+    #[inline]
+    fn eq(&self, other: &Self) -> bool {
+        bool::from(self.ct_eq(other))
+    }
+}
+
+#[derive(Clone, Copy)]
 pub struct G1Uncompressed([u8; 96]);
 
 impl fmt::Debug for G1Uncompressed {
@@ -857,6 +882,9 @@ impl Default for G1Uncompressed {
     }
 }
 
+#[cfg(feature = "zeroize")]
+impl zeroize::DefaultIsZeroes for G1Uncompressed {}
+
 impl AsRef<[u8]> for G1Uncompressed {
     fn as_ref(&self) -> &[u8] {
         &self.0
@@ -869,6 +897,20 @@ impl AsMut<[u8]> for G1Uncompressed {
     }
 }
 
+impl ConstantTimeEq for G1Uncompressed {
+    fn ct_eq(&self, other: &Self) -> Choice {
+        self.0.ct_eq(&other.0)
+    }
+}
+
+impl Eq for G1Uncompressed {}
+impl PartialEq for G1Uncompressed {
+    #[inline]
+    fn eq(&self, other: &Self) -> bool {
+        bool::from(self.ct_eq(other))
+    }
+}
+
 impl Group for G1Projective {
     type Scalar = Scalar;
 
@@ -1645,3 +1687,25 @@ fn test_batch_normalize() {
         }
     }
 }
+
+#[cfg(feature = "zeroize")]
+#[test]
+fn test_zeroize() {
+    use zeroize::Zeroize;
+
+    let mut a = G1Affine::generator();
+    a.zeroize();
+    assert!(bool::from(a.is_identity()));
+
+    let mut a = G1Projective::generator();
+    a.zeroize();
+    assert!(bool::from(a.is_identity()));
+
+    let mut a = GroupEncoding::to_bytes(&G1Affine::generator());
+    a.zeroize();
+    assert_eq!(&a, &G1Compressed::default());
+
+    let mut a = UncompressedEncoding::to_uncompressed(&G1Affine::generator());
+    a.zeroize();
+    assert_eq!(&a, &G1Uncompressed::default());
+}