Use SecretBox for all secret values

synedrion/Cargo.toml

@@ -25,7 +25,7 @@ bip32 = { version = "0.5.2", default-features = false, features = ["alloc", "sec
 
 # Note: `alloc` is needed for `crytpto-bigint`'s dependency `serdect` to be able
 # to serialize Uints in human-readable formats.
-crypto-bigint = { version = "0.5.3", default-features = false, features = ["serde", "alloc"] }
+crypto-bigint = { version = "0.5.5", default-features = false, features = ["serde", "alloc", "zeroize"] }
 crypto-primes = { version = "0.5", default-features = false }
 
 serde = { version = "1", default-features = false, features = ["derive"] }

synedrion/src/cggmp21/entities.rs

@@ -113,9 +113,9 @@ pub struct PresigningData<P: SchemeParams, I> {
 
 #[derive(Debug, Clone)]
 pub(crate) struct PresigningValues<P: SchemeParams> {
-    pub(crate) hat_beta: Signed<<P::Paillier as PaillierParams>::Uint>,
-    pub(crate) hat_r: Randomizer<P::Paillier>,
-    pub(crate) hat_s: Randomizer<P::Paillier>,
+    pub(crate) hat_beta: SecretBox<Signed<<P::Paillier as PaillierParams>::Uint>>,
+    pub(crate) hat_r: SecretBox<Randomizer<P::Paillier>>,
+    pub(crate) hat_s: SecretBox<Randomizer<P::Paillier>>,
     pub(crate) cap_k: CiphertextMod<P::Paillier>,
     /// Received $\hat{D}_{i,j}$.
     pub(crate) hat_cap_d_received: CiphertextMod<P::Paillier>,
@@ -331,22 +331,25 @@ impl<P: SchemeParams, I: Ord + Clone + PartialEq> PresigningData<P, I> {
 
             for id_j in ids.iter().filter(|id| id != &id_i) {
                 let hat_beta = Signed::random_bounded_bits(rng, P::LP_BOUND);
-                let hat_s = RandomizerMod::random(rng, &public_keys[&id_j]).retrieve();
-                let hat_r = RandomizerMod::random(rng, pk_i).retrieve();
+                let hat_s = RandomizerMod::random(rng, &public_keys[&id_j])
+                    .retrieve()
+                    .secret_box();
+                let hat_r = RandomizerMod::random(rng, pk_i).retrieve().secret_box();
 
                 let hat_cap_d = &all_cap_k[id_j] * P::signed_from_scalar(x_i.expose_secret())
                     + CiphertextMod::new_with_randomizer_signed(
                         &public_keys[&id_j],
                         &-hat_beta,
-                        &hat_s,
+                        hat_s.clone(),
                     );
-                let hat_cap_f = CiphertextMod::new_with_randomizer_signed(pk_i, &hat_beta, &hat_r);
+                let hat_cap_f =
+                    CiphertextMod::new_with_randomizer_signed(pk_i, &hat_beta, hat_r.clone());
 
                 let id_ij = (id_i.clone(), id_j.clone());
                 let id_ji = (id_j.clone(), id_i.clone());
 
                 hat_betas.insert(id_ij.clone(), hat_beta);
-                hat_ss.insert(id_ij.clone(), hat_s);
+                hat_ss.insert(id_ij.clone(), hat_s.clone());
                 hat_rs.insert(id_ij.clone(), hat_r);
 
                 hat_cap_ds.insert(id_ji.clone(), hat_cap_d);
@@ -368,7 +371,7 @@ impl<P: SchemeParams, I: Ord + Clone + PartialEq> PresigningData<P, I> {
                 values.insert(
                     id_j.clone(),
                     PresigningValues {
-                        hat_beta: hat_betas[&id_ij],
+                        hat_beta: hat_betas[&id_ij].secret_box(),
                         hat_r: hat_rs[&id_ij].clone(),
                         hat_s: hat_ss[&id_ij].clone(),
                         hat_cap_d_received: hat_cap_ds[&id_ij].clone(),

synedrion/src/cggmp21/params.rs

@@ -9,8 +9,9 @@ use crate::uint::{
 };
 
 use serde::{Deserialize, Serialize};
+use zeroize::Zeroize;
 
-#[derive(Debug, Copy, Clone, PartialEq, Eq, Serialize, Deserialize)]
+#[derive(Debug, Copy, Clone, PartialEq, Eq, Serialize, Deserialize, Zeroize)]
 pub struct PaillierTest;
 
 impl PaillierParams for PaillierTest {
@@ -65,7 +66,7 @@ impl PaillierParams for PaillierTest {
     type ExtraWideUint = U4096;
 }
 
-#[derive(Debug, Copy, Clone, PartialEq, Eq, Serialize, Deserialize)]
+#[derive(Debug, Copy, Clone, PartialEq, Eq, Serialize, Deserialize, Zeroize)]
 pub struct PaillierProduction;
 
 impl PaillierParams for PaillierProduction {

synedrion/src/cggmp21/protocols/presigning.rs

@@ -97,12 +97,18 @@ impl<P: SchemeParams, I: Debug + Clone + Ord + Serialize> FirstRound<I> for Roun
         let pk = aux_info.secret_aux.paillier_sk.public_key();
 
         let nu = RandomizerMod::<P::Paillier>::random(rng, pk);
-        let cap_g =
-            CiphertextMod::new_with_randomizer(pk, &P::uint_from_scalar(&gamma), &nu.retrieve());
+        let cap_g = CiphertextMod::new_with_randomizer(
+            pk,
+            &P::uint_from_scalar(&gamma),
+            Box::new(nu.retrieve()).into(),
+        );
 
         let rho = RandomizerMod::<P::Paillier>::random(rng, pk);
-        let cap_k =
-            CiphertextMod::new_with_randomizer(pk, &P::uint_from_scalar(&k), &rho.retrieve());
+        let cap_k = CiphertextMod::new_with_randomizer(
+            pk,
+            &P::uint_from_scalar(&k),
+            rho.retrieve().secret_box(),
+        );
 
         Ok(Self {
             context: Context {
@@ -295,12 +301,12 @@ pub struct Round2Message<P: SchemeParams> {
 
 #[derive(Debug, Clone)]
 pub struct Round2Artifact<P: SchemeParams> {
-    beta: Signed<<P::Paillier as PaillierParams>::Uint>, // TODO (#77): secret
-    hat_beta: Signed<<P::Paillier as PaillierParams>::Uint>, // TODO (#77): secret
-    r: Randomizer<P::Paillier>,                          // TODO (#77): secret
-    s: Randomizer<P::Paillier>,                          // TODO (#77): secret
-    hat_r: Randomizer<P::Paillier>,                      // TODO (#77): secret
-    hat_s: Randomizer<P::Paillier>,                      // TODO (#77): secret
+    beta: SecretBox<Signed<<P::Paillier as PaillierParams>::Uint>>,
+    hat_beta: SecretBox<Signed<<P::Paillier as PaillierParams>::Uint>>,
+    r: SecretBox<Randomizer<P::Paillier>>,
+    s: SecretBox<Randomizer<P::Paillier>>,
+    hat_r: SecretBox<Randomizer<P::Paillier>>,
+    hat_s: SecretBox<Randomizer<P::Paillier>>,
     cap_d: CiphertextMod<P::Paillier>,
     cap_f: CiphertextMod<P::Paillier>,
     hat_cap_d: CiphertextMod<P::Paillier>,
@@ -344,25 +350,41 @@ impl<P: SchemeParams, I: Debug + Clone + Ord + Serialize> Round<I> for Round2<P,
         let aux = (&self.context.ssid_hash, &self.my_id());
 
         let cap_gamma = self.context.gamma.mul_by_generator();
-        let pk = &self.context.aux_info.secret_aux.paillier_sk.public_key();
+        let pk = self.context.aux_info.secret_aux.paillier_sk.public_key();
 
         let target_pk = &self.context.aux_info.public_aux[destination].paillier_pk;
 
-        let beta = Signed::random_bounded_bits(rng, P::LP_BOUND);
-        let hat_beta = Signed::random_bounded_bits(rng, P::LP_BOUND);
-        let r = RandomizerMod::random(rng, pk);
-        let s = RandomizerMod::random(rng, target_pk);
-        let hat_r = RandomizerMod::random(rng, pk);
-        let hat_s = RandomizerMod::random(rng, target_pk);
+        let beta = Signed::random_bounded_bits(rng, P::LP_BOUND).secret_box();
+        let hat_beta = Signed::random_bounded_bits(rng, P::LP_BOUND).secret_box();
+        let r = RandomizerMod::random(rng, pk).secret_box();
+        let s = RandomizerMod::random(rng, target_pk).secret_box();
+        let hat_r = RandomizerMod::random(rng, pk).secret_box();
+        let hat_s = RandomizerMod::random(rng, target_pk).secret_box();
 
-        let cap_f = CiphertextMod::new_with_randomizer_signed(pk, &beta, &r.retrieve());
+        let cap_f = CiphertextMod::new_with_randomizer_signed(
+            pk,
+            beta.expose_secret(),
+            r.expose_secret().retrieve().secret_box(),
+        );
         let cap_d = &self.all_cap_k[destination] * P::signed_from_scalar(&self.context.gamma)
-            + CiphertextMod::new_with_randomizer_signed(target_pk, &-beta, &s.retrieve());
+            + CiphertextMod::new_with_randomizer_signed(
+                target_pk,
+                &-beta.expose_secret(),
+                s.expose_secret().retrieve().secret_box(),
+            );
 
-        let hat_cap_f = CiphertextMod::new_with_randomizer_signed(pk, &hat_beta, &hat_r.retrieve());
+        let hat_cap_f = CiphertextMod::new_with_randomizer_signed(
+            pk,
+            hat_beta.expose_secret(),
+            hat_r.expose_secret().retrieve().secret_box(),
+        );
         let hat_cap_d = &self.all_cap_k[destination]
             * P::signed_from_scalar(self.context.key_share.secret_share.expose_secret())
-            + CiphertextMod::new_with_randomizer_signed(target_pk, &-hat_beta, &hat_s.retrieve());
+            + CiphertextMod::new_with_randomizer_signed(
+                target_pk,
+                &-hat_beta.expose_secret(),
+                hat_s.expose_secret().retrieve().secret_box(),
+            );
 
         let public_aux = &self.context.aux_info.public_aux[destination];
         let rp = &public_aux.rp_params;
@@ -371,8 +393,8 @@ impl<P: SchemeParams, I: Debug + Clone + Ord + Serialize> Round<I> for Round2<P,
             rng,
             &P::signed_from_scalar(&self.context.gamma),
             &beta,
-            &s,
-            &r,
+            s.expose_secret(), // TODO(dp): Fix AffGProof
+            r.expose_secret(), // TODO(dp): Fix AffGProof
             target_pk,
             pk,
             &self.all_cap_k[destination],
@@ -387,8 +409,8 @@ impl<P: SchemeParams, I: Debug + Clone + Ord + Serialize> Round<I> for Round2<P,
             rng,
             &P::signed_from_scalar(self.context.key_share.secret_share.expose_secret()),
             &hat_beta,
-            &hat_s,
-            &hat_r,
+            hat_s.expose_secret(),
+            hat_r.expose_secret(),
             target_pk,
             pk,
             &self.all_cap_k[destination],
@@ -425,10 +447,10 @@ impl<P: SchemeParams, I: Debug + Clone + Ord + Serialize> Round<I> for Round2<P,
         let artifact = Round2Artifact {
             beta,
             hat_beta,
-            r: r.retrieve(),
-            s: s.retrieve(),
-            hat_r: hat_r.retrieve(),
-            hat_s: hat_s.retrieve(),
+            r: r.expose_secret().retrieve().secret_box(), // TODO(dp): Ugggh, this is clunky af.
+            s: s.expose_secret().retrieve().secret_box(),
+            hat_r: hat_r.expose_secret().retrieve().secret_box(),
+            hat_s: hat_s.expose_secret().retrieve().secret_box(),
             cap_d,
             cap_f,
             hat_cap_d,
@@ -542,14 +564,17 @@ impl<P: SchemeParams, I: Debug + Clone + Ord + Serialize> FinalizableToNextRound
         let cap_delta = cap_gamma * self.context.k;
 
         let alpha_sum: Signed<_> = payloads.values().map(|p| p.alpha).sum();
-        let beta_sum: Signed<_> = artifacts.values().map(|p| p.beta).sum();
+        let beta_sum: Signed<_> = artifacts.values().map(|p| p.beta.expose_secret()).sum();
         let delta = P::signed_from_scalar(&self.context.gamma)
             * P::signed_from_scalar(&self.context.k)
             + alpha_sum
             + beta_sum;
 
         let hat_alpha_sum: Signed<_> = payloads.values().map(|payload| payload.hat_alpha).sum();
-        let hat_beta_sum: Signed<_> = artifacts.values().map(|artifact| artifact.hat_beta).sum();
+        let hat_beta_sum: Signed<_> = artifacts
+            .values()
+            .map(|artifact| artifact.hat_beta.expose_secret())
+            .sum();
         let chi = P::signed_from_scalar(self.context.key_share.secret_share.expose_secret())
             * P::signed_from_scalar(&self.context.k)
             + hat_alpha_sum
@@ -721,8 +746,8 @@ impl<P: SchemeParams, I: Debug + Clone + Ord + Serialize> FinalizableToResult<I>
                 .map(|(id, artifact)| {
                     let values = PresigningValues {
                         hat_beta: artifact.hat_beta,
-                        hat_r: artifact.hat_r,
-                        hat_s: artifact.hat_s,
+                        hat_r: artifact.hat_r.expose_secret().clone().secret_box(),
+                        hat_s: artifact.hat_s.expose_secret().clone().secret_box(),
                         cap_k: self.all_cap_k[&id].clone(),
                         hat_cap_d_received: self.hat_cap_ds[&id].clone(),
                         hat_cap_d: artifact.hat_cap_d,
@@ -770,8 +795,8 @@ impl<P: SchemeParams, I: Debug + Clone + Ord + Serialize> FinalizableToResult<I>
                     rng,
                     &P::signed_from_scalar(&self.context.gamma),
                     beta,
-                    &s.to_mod(target_pk),
-                    &r.to_mod(pk),
+                    &s.expose_secret().to_mod(target_pk),
+                    &r.expose_secret().to_mod(pk),
                     target_pk,
                     pk,
                     &self.all_cap_k[id_j],

synedrion/src/cggmp21/protocols/signing.rs

@@ -182,14 +182,14 @@ impl<P: SchemeParams, I: Debug + Clone + Ord + Serialize> FinalizableToResult<I>
                 let target_pk = &self.aux_info.public_aux[id_j].paillier_pk;
                 let rp = &self.aux_info.public_aux[id_l].rp_params;
 
-                let values = &self.inputs.presigning.values.get(id_j).unwrap();
+                let values = self.inputs.presigning.values.get(id_j).unwrap();
 
                 let p_aff_g = AffGProof::<P>::new(
                     rng,
                     &P::signed_from_scalar(self.inputs.key_share.secret_share.expose_secret()),
                     &values.hat_beta,
-                    &values.hat_s.to_mod(target_pk),
-                    &values.hat_r.to_mod(pk),
+                    &values.hat_s.expose_secret().to_mod(target_pk),
+                    &values.hat_r.expose_secret().to_mod(pk),
                     target_pk,
                     pk,
                     &values.cap_k,